The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 12th, 2021 (Monday) to July 18th, 2021 (Sunday).
For the main category, info-stealer ranked top with 60.9%, followed by RAT (Remote Administration Tool) malware with 19.4%, downloader with 8.1%, CoinMiner with 7.1%, and Ransomware with 4.4%.
Top 1 – Vidar
Vidar was ranked first place with 13.7%. It is an infostealer / downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a feature that can download additional malware.
C&C URLs that were used during the period are the following.
- hxxp://116.202.183[.]50/903
- hxxp://162.55.223[.]232/947
- hxxp://mmcjo[.]com/crown//main.php
- hxxp://erolbasa.ac[.]ug/main.php
Top 2 – Smoke Loader
Smoke Loader is an info-stealer / downloader malware that ranked second place with 9.9%.
The confirmed C&C server URLs are as follows.
- conceitosseg[.]com/upload/
- integrasidata[.]com/upload/
- ozentekstil[.]com/upload/
- finbelportal[.]com/upload/
- telanganadigital[.]com/upload/
- nusurtal4f[.]net/
- netomishnetojuk[.]net/
- netomishnetojuk[.]net/
- nick22doom4[.]net/
- wrioshtivsio[.]su/
- nusotiso4[.]su/
- rickkhtovkka[.]biz/
- palisotoliso[.]net/
- 999080321newfolder100231-service1022020[.]ru/
- 999080321newfolder100221-service1022020[.]ru/
- 999080321newfolder1002-012525999080321[.]ml/
- 999080321newfolder1002-012625999080321[.]ga/
- 999080321newfolder1002-012725999080321[.]cf/
- 999080321newfolder1002-012825999080321[.]gq/
Top 3 – RedLine
This week, RedLine malware ranked third with 8.7%. The malware steals various information such as web browser, FTP client, cryptocurrency wallet, and PC settings. It can also download additional malware by receiving commands from the C&C server.
The following are the confirmed C&C server domains for RedLine:
- hxxps://y40.miraimibun[.]ru
- hxxps://om.miraimibun[.]ru
- hxxp://podarkivsemu[.]ru
Top 4 – CryptBot
This week, CryptBot malware ranked fourth with 8.5%. CryptBot is mainly distributed through malicious sites disguised as utility program download pages. Upon entering a certain keyword in the search engine, these malicious websites appear on the top page. When the PC is infected, it attempts to steal various user info and download additional malware.
The following are the C&C server URLs and additional malware download URLs of CryptBot.
- C&C1: xeihwr75[.]top/index.php
C&C2: moregy07[.]top/index.php
Download URL: lopxep10[.]top/download.php?file=lv.exe - C&C1: aleysn13[.]top/index.php
C&C2: mordmy01[.]top/index.php
Download URL: otiasc01[.]top/download.php?file=lv.exe - C&C1: xeiqvo57[.]top/index.php
C&C2: moraid05[.]top/index.php
Download URL: lopoga07[.]top/download.php?file=lv.exe - C&C1: xeifdt71[.]top/index.php
C&C2: moregy07[.]top/index.php
Download URL: lopxep10[.]top/download.php?file=lv.exe - C&C1: alepez15[.]top/index.php
C&C2: mordmy01[.]top/index.php
Download URL: otiasc01[.]top/download.php?file=lv.exe
The distributed filenames are as follows.
- setup_x86_x64_install.exe
- p3-both.exe
- Setup.exe
Top 5 – BeamWinHTTP
BeamWinHTTP is a downloader malware that ranked fifth with 7.5%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.
The confirmed C&C server URL is as follows.
- hxxp://gcl-partners[.]in/decision.php
- hxxp://g-partners[.]live/installer.php
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Statistics