ASEC Weekly Malware Statistics (July 12th, 2021 – July 18th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 12th, 2021 (Monday) to July 18th, 2021 (Sunday).

For the main category, info-stealer ranked top with 60.9%, followed by RAT (Remote Administration Tool) malware with 19.4%, downloader with 8.1%, CoinMiner with 7.1%, and Ransomware with 4.4%.


Top 1 – Vidar

Vidar was ranked first place with 13.7%. It is an infostealer / downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a feature that can download additional malware.

C&C URLs that were used during the period are the following.

  • hxxp://116.202.183[.]50/903
  • hxxp://162.55.223[.]232/947
  • hxxp://mmcjo[.]com/crown//main.php
  • hxxp://erolbasa.ac[.]ug/main.php


Top 2 – Smoke Loader

Smoke Loader is an info-stealer / downloader malware that ranked second place with 9.9%.

The confirmed C&C server URLs are as follows.

  • conceitosseg[.]com/upload/
  • integrasidata[.]com/upload/
  • ozentekstil[.]com/upload/
  • finbelportal[.]com/upload/
  • telanganadigital[.]com/upload/
  • nusurtal4f[.]net/
  • netomishnetojuk[.]net/
  • netomishnetojuk[.]net/
  • nick22doom4[.]net/
  • wrioshtivsio[.]su/
  • nusotiso4[.]su/
  • rickkhtovkka[.]biz/
  • palisotoliso[.]net/
  • 999080321newfolder100231-service1022020[.]ru/
  • 999080321newfolder100221-service1022020[.]ru/
  • 999080321newfolder1002-012525999080321[.]ml/
  • 999080321newfolder1002-012625999080321[.]ga/
  • 999080321newfolder1002-012725999080321[.]cf/
  • 999080321newfolder1002-012825999080321[.]gq/


Top 3 – RedLine

This week, RedLine malware ranked third with 8.7%. The malware steals various information such as web browser, FTP client, cryptocurrency wallet, and PC settings. It can also download additional malware by receiving commands from the C&C server.

The following are the confirmed C&C server domains for RedLine:

  • hxxps://y40.miraimibun[.]ru
  • hxxps://om.miraimibun[.]ru
  • hxxp://podarkivsemu[.]ru


Top 4 – CryptBot

This week, CryptBot malware ranked fourth with 8.5%. CryptBot is mainly distributed through malicious sites disguised as utility program download pages. Upon entering a certain keyword in the search engine, these malicious websites appear on the top page. When the PC is infected, it attempts to steal various user info and download additional malware. 

The following are the C&C server URLs and additional malware download URLs of CryptBot.

  • C&C1: xeihwr75[.]top/index.php
    C&C2: moregy07[.]top/index.php
    Download URL: lopxep10[.]top/download.php?file=lv.exe
  • C&C1: aleysn13[.]top/index.php
    C&C2: mordmy01[.]top/index.php
    Download URL: otiasc01[.]top/download.php?file=lv.exe
  • C&C1: xeiqvo57[.]top/index.php
    C&C2: moraid05[.]top/index.php
    Download URL: lopoga07[.]top/download.php?file=lv.exe
  • C&C1: xeifdt71[.]top/index.php
    C&C2: moregy07[.]top/index.php
    Download URL: lopxep10[.]top/download.php?file=lv.exe
  • C&C1: alepez15[.]top/index.php
    C&C2: mordmy01[.]top/index.php
    Download URL: otiasc01[.]top/download.php?file=lv.exe

The distributed filenames are as follows.

  • setup_x86_x64_install.exe
  • p3-both.exe
  • Setup.exe


Top 5 –  BeamWinHTTP

BeamWinHTTP is a downloader malware that ranked fifth with 7.5%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.

The confirmed C&C server URL is as follows.

  • hxxp://gcl-partners[.]in/decision.php
  • hxxp://g-partners[.]live/installer.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments