Botnet activity in H1 2018: Multifunctional bots becoming more widespread

Kaspersky Lab researchers have published a report on botnet activity in the first half of 2018, analyzing more than 150 malware families and their modifications circulating through 600,000 botnets around the world. One of the most remarkable things uncovered by the research was growing international demand for multi functional malware that is not designed for specific purposes but is flexible enough to perform almost any task.

Botnets – nets of compromised devices used in criminal activity – are harnessed by criminals to spread malware and facilitate DDoS and spam attacks. Using Kaspersky Lab’s Botnet Tracking technology, the company’s researchers continuously monitor botnet activity to prevent forthcoming attacks, or to nip a new type of banker Trojan in the bud. The technology works by emulating a compromised device, trapping the commands received from threat actors that are using the botnets to distribute malware. This provides the researchers with valuable malware samples and statistics.
Based on the results of recent research, in the first half of 2018, the share of single-purpose malware distributed through botnets dropped significantly in comparison to the second half of 2017. For example, in H2 2017, 22.46% of all unique malicious files distributed through the botnets monitored by Kaspersky Lab were banking Trojans, while in the first half of 2018, the share of bankers dropped by 9.21 percentage points – to 13.25% of all malicious files witnessed by the Botnet Tracking service.
The share of spamming bots – another type of single-purpose malicious software distributed through botnets – also decreased significantly: from 18.93% in H2 2017 to 12.23% in H1 2018. DDoS bots, yet another typical single-purpose malware, also dropped, from 2.66% in H2 2017 to 1.99% in H1 2018.

At the same time, the most distinctive growth was demonstrated by malware of a versatile nature, in particular, Remote Access Tools (RAT) malware that provides almost unlimited opportunities for exploiting the infected PC. Since H1 2017, the share of RAT files found among the malware distributed by botnets almost doubled, rising from 6.55% to 12.22%. Njrat, Dark Comet and Nano core topped the list of the most widespread RATs. Due to their relatively simple structure, the three back doors can be modified even by an amateur threat actor. This allows the malware to be adapted for distribution in a specific region.

Trojans, also used for a variety of purposes, did not demonstrate as much progress as RATs, but, unlike a lot of single-purpose malware, their share of detected files increased, rising from 32.89% in H2 2017 to 34.25% H1 2018. Just like the back doors, one Trojan family can be modified and controlled by multiple command and control (C&C) servers, each with different purposes, for example, cyberespionage or the stealing of credentials.