The Rise of the Bots

Cyber threat activity related to Command-and-Control (C&C) attacks are on the rise.

During H1 2023, Allot Secure blocked 86% more internet connections related to C&C attacks versus the previous half year. Meanwhile, the number of unique domains and IP addresses connected to C&C activity increased by 11% over the same period.

In addition, during H1 2023, the number of C&C cyber incidents increased as a percentage of the Allot Secure total cyber protection activity for consumers and SMBs. The most significant change was around consumers, where C&C attacks went from 2% in H2 2022 to 18% in H1 2023. Further, for small and medium businesses, where C&C was already important during the second half of 2022, the relevance of this type of threat grew from 16 to 32%. It is worth noting that SMBs are especially vulnerable to the effects of cybercrime as many SMBs who are affected by cybercrime go out of business due to successful attacks.

How is C&C activity related to Botnet attacks?

Attackers often use command and control (C&C) methods to manage multiple compromised devices, turning them into a ’botnet‘ to launch attacks or sending them instructions to collect data and harm the device users. Allot Secure detects and stops traffic from malicious domains or IP addresses linked to botnet command and control centers. By cutting off communication between the infected devices and the C&C server, Allot Secure blocks the botnet’s ability to receive commands, rendering it ineffective. Furthermore, Allot Secure blocks many types of Trojans used to install malware that enables C&C communications.

Top Trojans using C&C blocked during H1 2023

A Trojan is a malware that invades a device and misleads users of its true intent by disguising itself as a real program. The most well-known Trojan affects not only extensive infrastructure but also simple devices, making consumers and SMBs, who are usually more vulnerable to cyber risks, the perfect victims. The following is a list of Trojan threats that used C&C architecture. They are ranked according to relevance in this year’s first half.

H1 2023 threat behavior for the top Trojan families

Dropper Trojan: A sneaky computer program designed to secretly drop-ship other harmful software onto the infected device. It acts like a “delivery person” that brings viruses, ransomware, or other dangerous code to your system without the user’s knowledge.

Banking Trojan: Malicious software targeting financial information. It disguises itself as a legitimate banking app or website to trick users into revealing sensitive data like login credentials, credit card numbers, or account details, allowing cybercriminals to commit financial crimes. In the case of Trojan Coper, it takes the information through a keylogger, and for Trojan Hydra, it takes the credentials and other banking data when it overwrites the banking app, stealing access credentials.

Miner Trojan: A harmful program that stealthily harnesses the computer’s processing power to mine cryptocurrencies like Bitcoin. It runs in the background without the user’s consent, using up the device’s resources, slowing it down, and potentially causing damage to hardware due to overheating.

Why the trend of Trojan cyberattacks using command and control architecture?

Once a Trojan is installed on a device, it can cause a lot of damage to cyber victims, such as: loading malware onto the system, exploiting vulnerabilities, executing phishing attacks, initiating DDoS and botnet attacks, and more. Complex design, including a C&C architecture, allows hackers to maximize the benefits of each infected device.

But why do cybercriminals choose to act with C&C?

• It’s sneakier. It allows to keep providing instructions, and exfiltrate data while remaining hidden from the victim and security solutions.
• Scalability. Hackers can issue commands and receive data from multiple devices simultaneously allowing them to expand and launch coordinated attacks on various targets, including individuals, organizations, or even critical national infrastructure.
• It’s more evasive. By using encrypted communication channels, proxy servers, or other obfuscation techniques, they can evade security measures and detection mechanisms.
• It’s more versatile. It allows attackers to remotely control and manage their network of infected devices, making it easier to update and adapt to their malicious activities.

What happens after the Trojan infiltrates the device?

1. Get in touch. Once inside, the Trojan looks for domain names or IP addresses hidden within its code to establish communication with the C&C server.
2. Silent communication with the server without raising suspicion, often using protocols like HTTP or DNS, to remain unseen.
3. Get instructions from the C&C server. It can be anything from stealing sensitive data to spreading further within the network or shipping additional attacks.
4. Send intelligence back to the C&C server such as logged keystrokes, captured screenshots, or other sensitive login details.
5. Stay hidden to avoid detection. They may use encryption to hide their communication, or even manipulate system processes to remain undetected by antivirus software.

Allot Secure network-native security blocks C&C communication

A Network-native cybersecurity solution can stop the internet connections between infected devices and the domains and IP addresses associated with the command and control (C&C) servers. Allot Secure has a continuously updated list of known C&C server addresses and works 24/7 to provide subscribers a safer internet.

Learn more in the latest Cyber Threat Report

During the first half of 2023, there was no letup on cybercrime. Many categories of potential attacks were detected and blocked in our customers’ networks, both among consumers and small businesses.

Allot’s latest Cyber Threat Report highlights the most significant trends and specific cyber threats that Allot Secure blocked during the first half of 2023 for consumers and SMBs worldwide.

With many millions of customers cyber-protected by the end of H1 2023 and billions of risky cyber connections blocked for our security services subscriber base, we’re able to present a comprehensive analysis based on valuable threat data and shed light on the latest trends and emerging risks.