Brazil.. Haven for Botnet's and C&C servers?

Brazil.. Haven for Botnet's and C&C servers?
This is a typical scene on our live attack map stream for our HoneyPot.... Brazil attacks far outnumber any other source location, whatever the reason.

I have been running HoneyPot's on and off for a few years, but recently have put one up permanently the last few months for more intel and for public use, learning and entertainment. You can see statistics and live attacks on the Live HoneyPot dashboard links page below.

Live HoneyPot Dashboards
HIT PLAY and go FULL SCREEN for best viewing experience for the Streams. Due to the our Honeypot needing to be disguised to be the most effective, and lacks the granular security controls for the system’s dashboard to be accessed safely by the Public. As well as whitelisting admin pages

I am always fascinated by this constant activity, as without fail, any honeypot I put up on a new IP on any host, within 24hrs starts to get blasted. The DDOSPOT specific Pot attacks specifically are continual and non stop. When I mean blasted, I am talking about 2.5 million logged DDOSPOT attacks in a matter of a couple weeks. This isn't even mentioning the other Pot sub-type attacks.

In fact, a couple times, the HoneyPot got so overloaded, the server could not keep up with the logging and activity. Which a few times freezes the Pot. I have only had to reboot the Honeypot a handful a times over months. Only during the heaviest barrage is this necessary. This is a 8vcpu server with 32GB RAM with SSD storage, no slouch in terms of running a honeypot.

DigitalOcean, my current provider for the Pot, has been great about this. The first few HoneyPot's I hosted, they clearly let me know it had high activity. After I explained the goal and purpose of the HoneyPot, they have been really cool and whitelisted any further automated monitoring alerts in the name of Cybersecurity research and learning purposes.

The attack origin is completely disproportionate in the sense that Brazil seems to have the most compromised devices involved in various Botnet's and malicious activity. Which is why I always block via GEO/IP Brazil on all firewalls and security layers we put in place. It is not a perfect solution, but for some reason, it has always fascinated me that Brazil always has BY FAR the most attacks by origin within any honeypot I run, regardless of configuration and location.

People always ask, when I add Brazil to GEO/IP filters by default. Isn't Russia, China and Vietnam the typical countries where typical malicious cyber activity originates from? We all seem a little intrigued when Brazil is mentioned in the list of the Big 10. I guess we are all stereotypical when we envision Brazil as a warm, friendly country with beaches and the like.

Below is a typical screenshot of the constant ongoing scanning, brute force and botnet activity our HoneyPot's experience nonstop. These are without fail always originating from the south east portion of the country of Brazil.

The Attack map almost continually shows attacks from the Southeast Corner of Brazil specifically.

Like I said, the attacks are always out of the same location in the South East corner of the country. So I dug into OpenCTI and searched for activity in Brazil, where many cities IP's are geo-located in this area. For some odd reason the attack maps and data always seems to show the South East corner of the Country.

Brian Krebs released data that also matches our OpenCTI data and our HoneyPot data. This is in the context of the most infected number of hosts by country for the Mirai Botnet for example.

Courtesy of Brian Krebs

Here are some additional screenshots of Observables and Activity for Brazil and the region from OpenCTI, and there are plenty!

I also found multiple articles all reporting on similar findings. So this blog post is more out curiosity and intrigue, and poses a question. Why is Brazil such an easy target to take over devices and infect with malware? Here are a few articles that might shed some further insights on that question. Seems like IOT devices and Brazilian routers are a favorite among other scams that target Brazilians. As well as why our attack map is constantly lit up from attacks from Brazil.

Microsoft and ISPs did door-to-door router replacements to stop Trickbot malware
It partnered with ISPs in Brazil and Latin America.
Brazil is at the forefront of a new type of router attack
Avast: More than 180,000 routers in Brazil had their DNS settings changed in Q1 2019.
Brazil-based botnet targets Spanish-speakers across Americas, Cisco says
The attackers are mainly interested in using the tool to steal victim credentials and financial data, as well as to send phishing emails to all of the validated email IDs in a victim’s mailbox, Cisco’s Talos team says.
New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
Heads up, Latin America! A powerful botnet named Horabot is targeting Outlook users with phishing emails, compromising their accounts.
Exposing a Demonic Threat: Darktrace’s Fight Against Malware Targeting Brazilian Organizations | Darktrace Blog
This blog details how Darktrace DETECT identified a banking trojan known to target organizations in Brazil before it was able to steal any sensitive customer data. Following the initial detection, Darktrace’s global SOC were able to investigate the incident and inform the customer for swift mitigation.

If you have any thoughts or comments, see my LinkedIN post referencing this article below.

Daniel Bender on LinkedIn: Brazil.. Haven for Botnet's and C&C servers.
My musings on Brazil as a hot spot for Botnet and C&C activity among other malicious activity. Would love to hear comments, or from people who have intimate…

LinkedIn Post Discussion

As always, if you want to do your own research or play around with OpenCTI, be sure to visit our Public OpenCTI instance:

I feel as though sometimes, Brazil / China Botnet is trying to take down the Pot, but they haven't succeeded yet. :)

God Bless