The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from May 3rd, 2021 (Monday) to May 9th, 2021 (Sunday).
For the main category, info-stealer ranked top with 72.7%, followed by RAT (Remote Administration Tool) malware with 16.0%, CoinMiner with 8.2%, Ransomware with 1.7%, and downloader with 1.3%.
Top 1 – AgentTesla
AgentTesla was ranked first place with 25.1%. It is an info-stealer malware that leaks user information saved in web browsers, e-mails, and FTP clients.
Recently collected samples use the following mail servers and user accounts when leaking the collected information.
- mail.barraprime[.]com
sender: info@barraprime[.]com
receiver: info@barraprime[.]com
user: info@barraprime[.]com
pw: 1mar****17 - mail.alphaforge[.]net.my
sender: hr@alphaforge[.]net.my
receiver: hr@alphaforge[.]net.my
user: hr@alphaforge[.]net.my
pw: alp***r01 - mail.enerzi[.]co
sender: sales@enerzi[.]co
receiver: sales@enerzi[.]co
user: sales@enerzi[.]co
pw: Ener****123!#
As most are distributed through spam mails disguised as invoice, shipment document, and purchase order, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.
- ContractReferenceAssemblyAttribute.exe
- IMG_06_177_025.exe
- Item List.exe one.exe
- Price list update.exe
- PurchaseInquiry040521.exe
- PURCHASE-ORDEROFITEMS990676.exe
- PurchaseOrderPDF.exe
- SWAU7585755.SCR
Top 2 – Lokibot
Lokibot takes the second place with 17.3%. It is an info-stealer malware that leaks information about programs such as web browsers, mail clients, and FTP clients.
Being a malware that is distributed through spam mails, it shares similar distributed file names with other malware that are distributed through spam mails.
- Darim Tech Quote.exe
- DKOL0010-BB011.exe
- DKOL0010-BB011.idw.exe
- EVERCHEM.exe
- FREIGHT INVOICE -MV AN HAI V2102.exe
- List of quotation items.exe
- MV SILVER GLOBE Hire.exe
- ORDER.exe
- PO 2105003-021.exe
- PO 210506-112.exe
- PO 210506-201.exe
- PO HG549-424J_01.exe
- PO.exe
- po.exe
- PO202105-04NY(Sun)-056].exe
- quotation.exe
- QUOTATION-FORM.exe
As shown in the below, most Lokibot malware C&C server URLs tend to end in fre.php.
- hxxp://104.168.175.179/ghost1/panel/fre[.]php
- hxxp://104.168.175.179/nadis/panel/fre[.]php
- hxxp://104.168.175.179/oga/panel/fre[.]php
- hxxp://104.168.175.179/smick/panel/fre[.]php
- hxxp://173.208.204.37/k[.]php
- hxxp://209.141.50.70/D3/13/pin[.]php
- hxxp://alhajikudi.com/life/five/fre[.]php
- hxxp://finacafe.net/OG/news/school/boy/choo/fre[.]php
Top 3 – Formbook
Formbook is an info-stealer malware ranked third place with 11.7%.
Like other info-stealer malware, it is mainly distributed through spam mails. The distributed file names are also similar to those of other malware.
- NEXT LOT 40FT CONTR_docx.exe
- Invoice2021.exe
As Formbook malware is injected in a normal process that is in the directory of explorer.exe and system32, the malicious behaviors are performed by the normal process. Besides web browser user account information, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing. Below is the list of confirmed C&C server URLs of Formbook.
- hxxp://www.chaytel.com/zui/
- hxxp://www.bunies3.com/i6rd/
- hxxp://www.contorig2.com/u8nw/
- hxxp://www.contorig2.com/uv34/
- hxxp://www.floryi.com/nyr/
- hxxp://www.forenvid.com/vns/
- hxxp://www.joomlas123.info/3nop/
- hxxp://www.jumlasx.xyz/op9s/
- hxxp://www.magentos6.com/sqxs/
- hxxp://www.mex33.info/ainq/
Top 4 – Glupteba
Glupteba is a malware developed with Golang, taking the fourth place with 8.2%. It downloads various additional modules and have various features, but it is actually a CoinMiner malware that installs XMR (Monero) CoinMiner.
When Glupteba is executed, it acquires the system permission by going through UAC Bypass and using TrustedInstaller’s permission. It then disguises as a normal process named C:Windowsrsscsrss.exe and remains in the system. Afterward, Glupteba downloads additional modules such as rootkit drivers for a purpose of concealing processes and files, and ultimately installs Eternal Blue package to spread through XMR CoinMiner and SMB vulnerabilities.
So far, most of the confirmed Glupteba samples are being downloaded and distributed via PUPs. Even though Glupteba is being distributed via PUP, it takes the appearance of a MalPe packer (it is mentioned in the previous blog post).
Malware strains that take the appearance of a MalPe packer can be distributed via Exploit Kit. There are also cases of Vidar malware and PUP where the malware disguised as a normal program were distributed.
[Additional Module Download URL]
- hxxps://spolaect[.]info
[C&C Server URL]
- hxxps://sndvoices[.]com
- hxxps://2makestorage[.]com
Top 5 – RedLine
RedLine malware has taken the fifth place once again with 7.4%. The malware steals various information such as web browser, FTP client, cryptocurrency wallet, and PC settings. It can also download additional malware by receiving commands from the C&C server.
The following are the confirmed C&C server domains for RedLine:
- hxxp://87.251.71[.]62
- hxxp://briaseynan[.]xyz
- hxxp://domopaniama[.]xyz
- hxxp://nshoreyle[.]xyz
- hxxp://redworksite[.]info
- hxxp://rrddasllea[.]xyz
Categories:Statistics