Introduction

To protect our users, Quad9 blocks DNS lookups of malicious host names from an up-to-the-minute list of threats. This blocking action protects your computer, mobile device, or IoT systems against a wide range of threats, such as malware, phishing, spyware, and botnets, and it can improve performance and privacy. This blogpost provides security insights on the threats blocked by Quad9 DNS between January and June 2024. The report combines DNS telemetry data and open-source intelligence with statistics and analysis to provide security insights on the top malicious domains visited by our users and blocked by Quad9 DNS. Additionally, the post presents key regional threats targeting Quad9 users.

Victimology - Top Regional Threats

Omnatour malvertising campaigns continue to plague users globally. Previously highlighted in our Cyber Insights reports, these attacks hijack browser settings to distribute harmful riskware. Cybercriminals exploit compromised websites to deliver spyware, employing sophisticated evasion techniques to avoid detection. The persistence of such campaigns underscores the critical importance of robust cybersecurity measures such as Quad9 DNS to protect against these evolving threats.

The Pumpkin Eclipse

In June 2024, we observed a high volume of blocked DNS queries to the domains attributed to the Pumpkin Eclipse malware botnet.

Leveraging a malicious software program, the attackers rendered hundreds of thousands of routers inoperable, requiring complete hardware replacement. According to the researchers at Lumen, this incident significantly disrupted internet access across all regions, impacting critical services such as emergency response and healthcare. The attack highlights the growing sophistication and destructive potential of cyber threats. Based on Quad9 observations, the most impacted regions were Europe and Asia. Just in June, Quad9 blocked more than 801 million DNS queries to domains related to the Pumpkin Eclipse botnet.

Qu[.]ax: A Malicious Distribution Hub

Among top blocked domains in the first half of 2024 we observed qu[.]ax domain which is classified as a malicious distribution domain. This indicates its active involvement in disseminating harmful content, including malware and unwanted files. The domain poses significant risks to users, as it can deploy various forms of malware such as viruses, trojans, and ransomware. These malicious programs can inflict damage on devices, leading to data breaches, loss of personal information, or system malfunctions. Malicious distribution often involves deceptive tactics. Harmful files may be disguised as legitimate software, or vulnerabilities in user systems may be exploited for malware installation.

PEACHPIT ad fraud botnet

Lastly, we observed high volume of the blocked traffic to the domains attributed to the PEACHPIT botnet and BADBOX fraud empire. The BADBOX operation, originating from China, engaged in the sale of counterfeit mobile and Connected TV (CTV) devices through prominent online retailers and resale platforms. These Android devices were pre-installed with the notorious Triada malware. Upon device activation or connection, these devices established communication with a command-and-control server, facilitating the remote installation of various fraudulent modules. Among these modules was PEACHPIT, dedicated to ad fraud. This cybercriminal syndicate targeted consumers globally, both in private and public sectors. According to HUMAN researchers the PEACHPIT botnet comprised an estimated 121,000 Android devices and 159,000 iOS devices daily.

Conclusions

Over the years, it has become easier and cheaper for cybercriminals to attack Internet users. Quad9’s mission is to improve the security and stability of the Internet and reduce users' vulnerability to risk and become more effective in their daily online interactions - even in the face of growing cyber attacks.

By preventing connections to malicious sites, Quad9 eliminates exposure to risks before they are downloaded to computers, or before a victim can reach fraudulent websites. The inability to reach a malicious host means that defenses such as virus protection or user-based detection such as certificate examination are never called into action. Layered defense is the best strategy: DNS malware blocking such as that included with Quad9 in combination with anti-virus software provides multiple defense points against threats.

As a DNS provider, Quad9 has the unique opportunity to analyze the volumes and trends of malware campaigns in aggregate. If you are a security researcher or threat intelligence provider and want to hear more, contact us via our website at: https://quad9.net/support/contact

About Quad9

Quad9, a nonprofit headquartered in Switzerland, provides free cybersecurity services to the emerging world via secure and private DNS lookup. Quad9 operates over 230 locations across more than 110 nations, blocking hundreds of millions of malware, phishing, and spyware events daily for tens of millions of end users. Quad9 reduces harm in vulnerable regions, increases privacy against criminal or institutionalised interception of Internet data, and improves performance in under-served areas.

References

1. https://blogs.infoblox.com/threat-intelligence/cyber-threat-advisory/vast-malvertising-network-hijacks-browser-settings-to-spread-riskware/
2. https://blog.lumen.com/the-pumpkin-eclipse/
3. https://gridinsoft.com/online-virus-scanner/url/qu-ax
4. https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf