Dridex, Trickbot, and Emotet are banking Trojans that have enabled cybercrime groups to steal hundreds of millions of dollars from their victims. These malware have evolved over the years, and just recently, Emotet was seen using stolen attachments to make their spam emails more credible. As with other malware types, once Trickbot, Dridex, and Emotet infect a victim’s device, they communicate with their command-and-control (C&C) servers. From there, the attackers can control the infected machines turning them into a resource for malicious activities.

One may wonder where in the world these C&C servers are located (or at least appear to be). We decided to look into this further using our IP geolocation intelligence and conducted a short study to determine malware and botnet C&C servers’ usual locations and other details with our bulk IP address location API.

The Data: IP Blocklist

We obtained a list of IP addresses from Feodo Tracker, which contained IP addresses tagged as indicators of compromise (IoCs) for Trickbot, Dridex, and Emotet. The recommended blocklist, which has fewer false positives than the aggressive list, was last updated on 16 September 2020. It contained 836 IP addresses associated with C&C servers.

The Findings: C&C Server Locations Revealed by Bulk IP Geolocation

Bulk IP geolocation allows users to obtain the geolocation of as many as 100,000 IP addresses with one API call. Below are our findings using the capability to analyze C&C server locations.

The U.S. Takes the Lead

The 836 IP addresses on the IP blocklist are distributed across 88 countries, with the U.S. leading the pack. Our bulk IP geolocation query returned 182 IP addresses located in the U.S. Moreover, about 54% of these IP addresses belong to these Internet service providers (ISPs):

• Charter Communications (35 IP addresses)
• Digital Ocean (21 IP addresses)
• ITL-Bulgaria Ltd. (13 IP addresses)
• Comcast Cable Communications (12 IP addresses)
• Linode (9 IP addresses)
• Frontier Communications Corporation (9 IP addresses)

A majority of the U.S. IP addresses are located in California (46), New York (18), and New Jersey (16).

Top ISPs

The IP addresses on the Feodo Tracker are spread over 400 Internet service providers (ISPs). We ranked them according to ISP with the highest number of C&C servers, and the top 12 are:

1. Charter Communications
2. Digital Ocean
3. OVH
4. Telmex
5. Turk Telekom
6. ITL-Bulgaria Ltd.
7. Linode
8. Comcast Cable Communications
9. NTT Communications Corporation
10. Telstra
11. Emirates Integrated Telecommunications Company
12. Fibertel

Top 20 Countries with the Highest Number of C&C Servers versus Top 20 Wealthiest Countries

Some 611 or 73% of the malicious IP addresses belong to the top 20 countries. Each country has no less than 10 malicious IP addresses each.

1. U.S.
2. Argentina
3. Germany
4. Japan
5. Brazil
6. Mexico
7. U.K.
8. France
9. Turkey
10. Colombia
11. Russia
12. Indonesia
13. Australia
14. Italy
15. Spain
16. India
17. Vietnam
18. Singapore
19. South Africa
20. Chile

Of the top 20 countries with the highest number of C&C servers,15 pertained to the world’s top 20 economies based on gross domestic product (GDP). A potential reason for this is that developed countries typically have advanced infrastructure, especially server hosting offered by larger ISPs with many subscribers, at a cheaper cost.

In fact, about half of the malware attacks in 2018 targeted the U.S., which also tops our list of countries. In a more recent study, seven out of the top 10 countries with the highest number of banking malware victims are also among the top 20 countries with the highest C&C server concentration we found.

Associated Domains

Our bulk IP address location lookup also returned associated domains for most of the IP addresses. The image below shows some examples of these associated domains.

We examined three of the domains highlighted in the image above in one of our investigations (dnb[.]tkk[.]mybluehost[.]me, iaml[.]com, and server[.]dnb[.]tkk[.]mybluehost[.]me). At that time, our reverse IP lookup for 162[.]241[.]92[.]219 returned these three domains. At present, however, one more domain—hccydsm[.]sitelockcdn[.]net—was added to the list, highlighting the need for regular monitoring of malicious IP addresses and their domain associations.

Cybercriminal groups that have used Dridex, Emotet, Trickbot, and other malware forms have stolen millions of dollars from banks and individuals alike. As organizations need to prevent malware from infiltrating their networks, gathering context around C&C servers may help pinpoint attack origins. We illustrated how bulk IP address location lookups could help in this area among others—check this blog for other purposes of IP geolocation.