The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from June 7th, 2021 (Monday) to June 13th, 2021 (Sunday).
For the main category, info-stealer ranked top with 67.7%, followed by RAT (Remote Administration Tool) malware with 20.3%, banking malware with 8.8%, and downloader with 2.2%. Ransomware did not make it to the main category due to a reduction in the number of cases.
Top 1 – AgentTesla
AgentTesla was ranked first place with 24.7%. It is an info-stealer malware that leaks user information saved in web browsers, e-mails, and FTP clients.
Recently collected samples use the following mail servers and user accounts when leaking the collected information.
- us2.smtp.mailhostbox[.]com (208.91.199[.]225)
sender : faiz@aczfasa[.]com
receiver : faiz@aczfasa[.]com
user : faiz@aczfasa[.]com
pw : G*****I4
- mail.greatdeck[.]co (162.222.226[.]70)
sender : info.network@greatdeck[.]co
receiver : info.network@greatdeck[.]co
user : info.network@greatdeck[.]co
pw : Gre********$!
- peak-tv[.]tk (162.215.241[.]145)
sender : nzelog@peak-tv[.]tk
receiver : nze@peak-tv[.]tk
user : nzelog@peak-tv[.]tk
pw : 721********CE@#$
As most are distributed through spam mails disguised as invoice, shipment document, and purchase order, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.
- SAUDI ARAMCO Tender Documents – BOQ and ITB.exe
- Order List.exe
- OMANTECH PRODUCTS.exe
- Re SHANGHAI SHIPMENT.exe
- Fullwell New Order Inquiry.exe
- Route to shams on google map.exe
- ARA Petroleum Block-44-General Terms and Conditions Purchase n Service.exe
- COMPANY DOCUMENTS.exe
- New-PO-9360342_Order pdf.scr
- MATTHEOS 0410-20 E129.xls.exe
- Details 147987 BMD.exe
- Starco Inquiry Order.exe
Top 2 – Lokibot
This week, Lokibot ranked second place with 18.4%. It is an info-stealer malware that leaks information about programs such as web browsers, mail clients, and FTP clients.
Being a malware that is distributed through spam mails, it shares similar distributed file names with other malware that are distributed through spam mails.
- Purchase Order (New)10115***tech210607.exe
- Purchase Order (New)_10115[New*]_210608.exe
- Estimate Request_BK210611.exe
- Specifications Applied_Item List_20210607.exe
- HJ TONG SANG RFQ_210610Y54.exe
- ILSHIN TRADING CO.pdf.exe
As shown in the below, most Lokibot C&C server URLs tend to end in fre.php.
Top 3 – Formbook
Formbook is an info-stealer malware ranked in third place with 14.0%.
Like other info-stealer malware, it is mainly distributed through spam mails. The distributed file names are close to each other.
- Purchase Order (New)_10115 _210607.exe
- Ref_Request For Proposal Details.exe
- Reference No. 3200025006.exe
- Noua comanda de achizitie.exe
- 13848_NDA_Dunkirk Offshore Wind Farm Project_DRAFT v000_20210525(2).exe
As Formbook is injected in a normal process that is in the directory of explorer.exe and system32, the malicious behaviors are performed by the normal process. Besides user account information in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing. Below is the list of confirmed C&C server URLs of Formbook.
Top 4 -Emotet
Emotet ranked fourth place with 8.8%. Emotet is a banking malware that is being continuously distributed via spam mails.
In its basic form, it is a downloader without additional features, but once installed on a system, it can download additional modules or additional malware.
Additional modules include user info-stealing modules that steal information such as web browser and e-mail credentials, and propagation module that spreads via shared folders. Additional malware strains include other banking malware such as Oakbot and Trickbot.
Top 5 – Remcos
This week, Remcos ranked fifth place with 6.6%. Remcos is a RAT malware that carries out various commands given by the attacker such as keylogging and information leaking.
Remcos is packed with a .NET packer and is distributed as attachments of spam mails, just like AgentTesla, Formbook, and NanoCore. As such, the file names reported are not much different from those of other malware distributed through spam mails.
- PROPERTY PICTURES 093728282929.jpg.bin
The confirmed C&C server URLS of Remcos are as follows.