ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday).

For the main category, downloader ranked top with 45.0%, followed by info-stealer with 39.6%, backdoor with 14.6%, ransomware with 0.4%, and CoinMiner with 0.4%.

Top1. SmokeLoader

Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place with 22.1%. Like other malware that is distributed via exploit kits, this malware also has MalPe form. 

When executed, it injects itself to explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to C&C server, it can either download additional module, or download another malware. Additionally downloaded malware usually has a feature of infostealer, and explorer.exe (child process) is created and injects module to operate.

For an analysis report related to Smoke Loader, refer to the ASEC Report below.

[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks

The confirmed C&C server URLs are as follows.

  • nvulukuluir[.]net
  • gulutina49org[.]org
  • hulimudulinu[.]net
  • stalnnuytyt[.]org
  • nuluitnulo[.]me
  • youyouumenia5[.]org
  • guluiiiimnstra[.]net

Top2. AgentTesla

AgentTesla is an infostealer that ranked second place with 20.4%. It is an info-stealer that leaks user credentials saved in web browsers, emails, and FTP clients.

How AgentTesla Malware is Being Distributed in Korea

It uses e-mail to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.

  • server : mail.epicenterafrica[.]com
    sender : silvester.atuta@epicenterafrica[.]com
    receiver : silvester.atuta@epicenterafrica[.]com
    user : silvester.atuta@epicenterafrica[.]com
    pw : as0******xkY
  • server : mail.rimiapparelsltd[.]com
    sender : postmaster@rimiapparelsltd[.]com
    receiver : webmaster@rimiapparelsltd[.]com
    user : postmaster@rimiapparelsltd[.]com
    pw : Ije*****8@
  • server : microempaquescali[.]com
    sender : investor@microempaquescali[.]com
    receiver : investoryandex@microempaquescali[.]com
    user : investor@microempaquescali[.]com
    pw : icu******@

As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.

  • comprobante009.xlsx.exe
  • order jmg.exe
  • doc2345689965624_PDF.exe
  • information01.exe
  • R1 UAE for Saudi Recovery project.pdf.exe
  • Payment Advice.exe

Top3. BeamWinHTTP

BeamWinHTTP is a downloader malware that ranked third place with 19.2%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.

Malware Being Sneakily Installed in My PC-BeamWinHTTP Malware

The confirmed C&C server URL is as follows.

  • 95.214.24[.]96/load.php?pub=mixinte
  • 208.67.104[.]97/powfhxhxcjzx/ping.php?sub=/mixtwo&stream=mixone&substream=mixazed
  • 212.192.246[.]217/access.php?sub=NOSUB&stream=mix&substream=mixtwo
  • goldenchests[.]com/checkversion.php?source=MIX2h1

Top4. SnakeKeylogger

Taking fourth with 7.9%, SnakeKeylogger is an info-stealer type malware that leaks information such as user key inputs, system clipboards, and browser account information.

Like AgentTesla, this malware uses e-mail servers and user accounts when leaking collected information. The following is the accounts used by recently collected samples.

  • server : us2.smtp.mailhostbox[.]com
    sender : monni@great-timecomess[.]com
    receiver : monni@great-timecomess[.]com
    pw : oc****T6
  • server : us2.smtp.mailhostbox[.]com
    sender : smadar.joseph@almalasers-il[.]com
    receiver : smadar.joseph@almalasers-il[.]com
    pw : do*****0

Similar to other info-stealer malware, it is distributed through spam mails disguised as invoices, shipment documents, and purchase orders, so the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order).

  • WriN.exe
  • dls.exe
  • QuizGame.exe
  • Calculator 1.5.exe

Top5. Remcos

This week, Remcos ranked fifth place with 7.1%. Remcos is a RAT malware that carries out various commands given by the attacker such as keylogging and information leaking.

Remcos RAT Malware being Distributed as Spam Mail

Remcos is packed with a .NET packer and is distributed as attachments to spam emails, just like AgentTesla, Formbook, and NanoCore. Recently, there are some cases where it got distributed after disguising itself as a certain tool.

The confirmed C&C server URLs of Remcos are as follows.

  • hxxp://80.66.75[.]90/Vnmqugfh.bmp
  • hxxp://geoplugin[.]net/json.gp

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post <strong>ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022)</strong> appeared first on ASEC BLOG.

Article Link: ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022) - ASEC BLOG