The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday).
For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%.
Top 1 – SmokeLoader
SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with 19.9%. Like other malware that is distributed via exploit kits, this malware also has a MalPe form.
When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to the C&C server, it can download additional modules or other malware strains. Additionally downloaded modules usually have Infostealer features, and explorer.exe (child process) is created and injects modules to operate.
For an analysis report related to Smoke Loader, refer to the ASEC Report below.
[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks
The confirmed C&C server URLs are as follows.
potunulit[.]org
hutnilior[.]net
bulimu55t[.]net
soryytlic4[.]net
novanosa5org[.]org
nuljjjnuli[.]org
tolilolihul[.]net
somatoka51hub[.]net
hujukui3[.]net
bukubuka1[.]net
golilopaster[.]org
newzelannd66[.]org
otriluyttn[.]org
host-file-host6[.]com
host-host-file8[.]com
mightys[.]at/tmp/
mupsin[.]ru/tmp/
channelpi[.]com/tmp/
mordo[.]ru/tmp/
c3g6gx853u6j[.]xyz
04yh16065cdi[.]xyz
33qd2w560vnx[.]xyz
neriir0f76gr[.]com
b4y08hrp3jdb[.]com
swp6fbywla09[.]com
7iqt53dr345u[.]com
mj4aj8r55mho[.]com
ne4ym7bjn1ts[.]com
Top 2 – BeamWinHTTP
BeamWinHTTP is a downloader malware that ranked second with 18.0%. The malware is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time.
The confirmed C&C server URLs are as follows.
45.12.253[.]51/publisher.php
45.12.253[.]56/advertisting/plus.php
Top 3 – Formbook
Formbook ranked third place with 14.6%.
Like other Infostealers, it is mainly distributed through spam emails. The distributed file names are close to each other.
TT Swift ($ 23,506.50) 19.01.23_jpg.exe
E-FCR Docs_pdf.exe
HSBC Account Statement 03FEB2023_pdf.exe
RFQ-20000 TO 500000 MTBARELLS TEST by SGSPDF.exe
Invoice.exe
MV GOLDEN BRIGHT_VESSEL DESCRIPTION.exe
INV.exe
REQ-22-TM-04211.exe
HSBC Payment Advice_pdf.exe
JAN SOA PAYMENT.exe
As Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32), the malicious behaviors are performed by these normal processes. Besides user credentials in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.
Below is the list of confirmed C&C server URLs of Formbook.
hxxp://www.auskunfton[.]com/u8ow/
hxxp://www.bnhkit[.]xyz/d0a7/
hxxp://www.btexmo[.]xyz/ga23/
hxxp://www.domight[.]live/gune/
hxxp://www.domight[.]live/hyed/
hxxp://www.energybig[.]xyz/ghii/
hxxp://www.frykuv[.]xyz/sk29/
hxxp://www.genmanty[.]site/g44n/
hxxp://www.gvdxop[.]xyz/n10i/
hxxp://www.hexopb[.]xyz/sz17/
hxxp://www.koyesses[.]site/xprq/
hxxp://www.markmarket[.]live/m3ix/
hxxp://www.pertio[.]xyz/gs12/
hxxp://www.tumaqe[.]xyz/fh11/
hxxp://www.webventy[.]site/m5oe/
Top 4 – Quasar RAT
Quasar RAT is an open-source RAT malware developed with .NET, used by various threat actors due to its public nature. Ranked in fourth place with 10.9%, Quasar RAT has been used in all kinds of attacks including attacks from CoinMiner operators ever since its appearance in the Kimsuky group’s APT attack.
Below is a list of filenames used by Quasar RAT when in distribution. Recently, it is often distributed in disguise of a cracked version of a normal program.
c0cain_lite.EXE
OpenBullet V 2.3.1.exe
Photo.exe
Battleye.jpg.exe
Power Point Presentation.exe
SunloginClient.exe
JJSploit_Installer.exe
Just like other typical RAT malware, Quasar RAT also provides system task features such as processes, files, registries, as well as remote command execution, file upload and download features. It can also steal user environment information with its keylogging and account credentials-collecting feature, then continue on to take control of the infected system in real-time via remote desktop.
The confirmed C&C server URLs of Quasar RAT are as follows.
23.216.147[.]64:443
35.222.163[.]119:3741
79.119.149[.]174:4782
80.209.225[.]244:4420
fat-tx.at.ply[.]gg:14136
Top 5 – Redline
RedLine ranked fifth place with 5.6%. The malware steals various information such as web browsers, FTP clients, cryptocurrency wallets, and PC settings. It can also download additional malware by receiving commands from the C&C server. Like BeamWinHTTP, there have been numerous cases of RedLine being distributed under the disguise of a software crack file.
The following are the confirmed C&C server domains for RedLine:
45.15.156[.]194:36152
176.113.115[.]16:4122
193.56.146[.]78:51487
62.204.41[.]170:4132
51.210.137[.]6:47909
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) appeared first on ASEC BLOG.
Article Link: ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) – ASEC BLOG
1 post – 1 participant