The coordinated efforts were part of the URLhaus initiative that Abuse.ch launched in March 2018, and whose primary objective is to collect and share URLs about active malware campaigns so the information security (infosec) community can take action by blacklisting or taking down URLs.
In a report published today, Abuse.ch says the URLhaus project has been a resounding success, with 265 security researchers sharing URLs and filing abuse reports with web hosting providers over the past year.
The organization says that researchers shared between 4,000 and 5,000 active malware distribution sites per day, filing hundreds of abuse reports in the process.
The table below shows the top malware hosting networks, hosting active malware content (counting online malware distribution sites only as of Jan 20th, 2019). As you can easily spot, 2/3 of the top malware hosting networks are hosted either in the US or China.
The vast majority of malware links hosted payloads for the Emotet and Gozi trojans, and the GandCrab ransomware.
Emotet ruled the year 2018 – URLhaus
As for what the 265 security researchers have reported the most in the last ten months, the answer was not a surprise. Of the 380,000 malware samples that security researchers found hosted on newly created or hacked websites, the most common malware family was Emotet (also known as Heodo), a multi-faceted malware strain that can work as a downloader for other malware, a backdoor, a banking trojan, a credentials stealer, or a spam bot, among many other things.
Other popular malware strains that researchers spotted and reported included variations of the Gozi banking trojan, and installers for GandCrab, which is, by far, today’s most prevalent ransomware strain.
Because most of today’s email security scanners do a good job at detecting malicious file attachments, recent email spam campaigns don’t work as they did in the past.
Nowadays, many spam campaigns have switched from including the malware payload in the file attachment to add a link inside the email body that points to a website from where the victim is asked to download a malicious document or the malware’s installer.
“URLhaus wouldn’t be successful without the help of the community. But we are not where we should be yet. There is still a long way to go with regards to the response time of abuse desks. An average reaction time of more than a week is just too much and proves bad internet hygiene.” concludes abuse.ch.