The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from January 30th, 2023 (Monday) to February 5th, 2023 (Sunday).
For the main category, downloader ranked top with 39.3%, followed by Infostealer with 28.8%, backdoor with 27.0%, ransomware with 2.6%, and CoinMiner with 2.2%.
Top 1 – SmokeLoader
SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with 19.9%. Like other malware that is distributed via exploit kits, this malware also has a MalPe form.
When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to the C&C server, it can download additional modules or other malware strains. Additionally downloaded modules usually have Infostealer features, and explorer.exe (child process) is created and injects modules to operate.
For an analysis report related to Smoke Loader, refer to the ASEC Report below.
[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks
The confirmed C&C server URLs are as follows.
- potunulit[.]org
- hutnilior[.]net
- bulimu55t[.]net
- soryytlic4[.]net
- novanosa5org[.]org
- nuljjjnuli[.]org
- tolilolihul[.]net
- somatoka51hub[.]net
- hujukui3[.]net
- bukubuka1[.]net
- golilopaster[.]org
- newzelannd66[.]org
- otriluyttn[.]org
- host-file-host6[.]com
- host-host-file8[.]com
- mightys[.]at/tmp/
- mupsin[.]ru/tmp/
- channelpi[.]com/tmp/
- mordo[.]ru/tmp/
- c3g6gx853u6j[.]xyz
- 04yh16065cdi[.]xyz
- 33qd2w560vnx[.]xyz
- neriir0f76gr[.]com
- b4y08hrp3jdb[.]com
- swp6fbywla09[.]com
- 7iqt53dr345u[.]com
- mj4aj8r55mho[.]com
- ne4ym7bjn1ts[.]com
Top 2 – BeamWinHTTP
BeamWinHTTP is a downloader malware that ranked second with 18.0%. The malware is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time.
The confirmed C&C server URLs are as follows.
- 45.12.253[.]51/publisher.php
- 45.12.253[.]56/advertisting/plus.php
Top 3 – Formbook
Formbook ranked third place with 14.6%.
Like other Infostealers, it is mainly distributed through spam emails. The distributed file names are close to each other.
- TT Swift ($ 23,506.50) 19.01.23_jpg.exe
- E-FCR Docs_pdf.exe
- HSBC Account Statement 03FEB2023_pdf.exe
- RFQ-20000 TO 500000 MTBARELLS TEST by SGSPDF.exe
- Invoice.exe
- MV GOLDEN BRIGHT_VESSEL DESCRIPTION.exe
- INV.exe
- REQ-22-TM-04211.exe
- HSBC Payment Advice_pdf.exe
- JAN SOA PAYMENT.exe
As Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32), the malicious behaviors are performed by these normal processes. Besides user credentials in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.
Below is the list of confirmed C&C server URLs of Formbook.
- hxxp://www.auskunfton[.]com/u8ow/
- hxxp://www.bnhkit[.]xyz/d0a7/
- hxxp://www.btexmo[.]xyz/ga23/
- hxxp://www.domight[.]live/gune/
- hxxp://www.domight[.]live/hyed/
- hxxp://www.energybig[.]xyz/ghii/
- hxxp://www.frykuv[.]xyz/sk29/
- hxxp://www.genmanty[.]site/g44n/
- hxxp://www.gvdxop[.]xyz/n10i/
- hxxp://www.hexopb[.]xyz/sz17/
- hxxp://www.koyesses[.]site/xprq/
- hxxp://www.markmarket[.]live/m3ix/
- hxxp://www.pertio[.]xyz/gs12/
- hxxp://www.tumaqe[.]xyz/fh11/
- hxxp://www.webventy[.]site/m5oe/
Top 4 – Quasar RAT
Quasar RAT is an open-source RAT malware developed with .NET, used by various threat actors due to its public nature. Ranked in fourth place with 10.9%, Quasar RAT has been used in all kinds of attacks including attacks from CoinMiner operators ever since its appearance in the Kimsuky group’s APT attack.
Below is a list of filenames used by Quasar RAT when in distribution. Recently, it is often distributed in disguise of a cracked version of a normal program.
- c0cain_lite.EXE
- OpenBullet V 2.3.1.exe
- Photo.exe
- Battleye.jpg.exe
- Power Point Presentation.exe
- SunloginClient.exe
- JJSploit_Installer.exe
Just like other typical RAT malware, Quasar RAT also provides system task features such as processes, files, registries, as well as remote command execution, file upload and download features. It can also steal user environment information with its keylogging and account credentials-collecting feature, then continue on to take control of the infected system in real-time via remote desktop.
The confirmed C&C server URLs of Quasar RAT are as follows.
- 23.216.147[.]64:443
- 35.222.163[.]119:3741
- 79.119.149[.]174:4782
- 80.209.225[.]244:4420
- fat-tx.at.ply[.]gg:14136
Top 5 – Redline
RedLine ranked fifth place with 5.6%. The malware steals various information such as web browsers, FTP clients, cryptocurrency wallets, and PC settings. It can also download additional malware by receiving commands from the C&C server. Like BeamWinHTTP, there have been numerous cases of RedLine being distributed under the disguise of a software crack file.
The following are the confirmed C&C server domains for RedLine:
- 45.15.156[.]194:36152
- 176.113.115[.]16:4122
- 193.56.146[.]78:51487
- 62.204.41[.]170:4132
- 51.210.137[.]6:47909
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) appeared first on ASEC BLOG.
Article Link: ASEC Weekly Malware Statistics (January 30th, 2023 – February 5th, 2023) - ASEC BLOG