The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to major threats. This post will list weekly statistics collected from August 2nd, 2021 (Monday) to August 8th, 2021 (Sunday).
For the main category, Infostealer ranked top with 53.7%, followed by RAT (Remote Administration Tool) with 22.4%, downloader with 11.3%, CoinMiner with 7.6%, ransomware with 4.3%, and Ddos with 0.6%.
Top 1 – RedLine
RedLine has taken first place once again with 12.8%. The malware steals various information such as web browser, FTP client, cryptocurrency wallet, and PC settings. It can also download additional malware by receiving commands from the C&C server.
The following are the confirmed C&C server domains for RedLine:
- hxxp://zertypelil[.]xyz/
- hxxp://yonicathal[.]xyz/
- hxxp://stanntinab[.]xyz/
- hxxp://salanoajalio[.]xyz/
- hxxps://all-brain-company[.]xyz/
Top 2 – Formbook
Formbook is an Infostealer ranked second place with 8.6%.
Like other Infostealer malware, it is mainly distributed through spam mails. The distributed file names are close to each other.
- RFQ Data Sheet 0400100347_pdf________________________.exe
- Payment_Advice.exe
- Temmuz 2021 Ekstreniz.exe
- vbc.exe
- MV PROGRESS-VSL008.exe
- company business card.exe
- Swift Payment.exe
- Order_04_08_2021.exe
- PO UTITECH20210802.exe
As Formbook is injected in a normal process that is in the directory of explorer.exe and system32, the malicious behaviors are performed by the normal process. Besides user account information in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.
- hxxp://www.bainrix[.]com/d8ak/
- hxxp://www.magetu[.]info/weni/
- hxxp://www.tomrings[.]com/ftgq/
- hxxp://www.cunerier[.]com/n8ba/
- hxxp://www.ravexim3[.]com/dy8g/
- hxxp://www.racevc[.]com/busc/
- hxxp://www.brateix[.]info/gno4/
- hxxp://www.psm-gen[.]com/cg53/
- hxxp://www.nieght[.]com/wt5i/
- hxxp://www.afcerd[.]com/odse/
Top 3 – BeamWinHTTP
BeamWinHTTP is a downloader malware that ranked third with 8.4%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.
The confirmed C&C server URL is as follows.
- hxxp:///gc-prtnrs[.]top/decision.php
Top 4 – Vidar
Vidar was ranked fourth place with 8.2%. It is an Infostealer and downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a feature that can download additional malware.
As shown in the blogs below, spam mails are being sent periodically to Korean users, and its characteristic is that it exists with other ransomware within the compressed file attached to the spam mail.
Recently, certain game platforms are being abused to spread ransomware.
The following has explanations on Vidar’s info-leaking feature.
C&C URLs that were used during the period are the following.
- hxxp://116.202.183[.]50/517
- hxxp://116.202.183[.]50/860
- hxxp://2.56.59[.]226/www//main.php
- hxxp://notedemo.axfree[.]com/main.php
- hxxp://23.88.49[.]119/937
- hxxp://23.88.49[.]119/973
Top 5 – Raccoon
Raccoon ranked fifth place with 7.8%, and it is an Infostealer that has a form of MalPe packer, which is similar to Glupteba.
This malware leaks information such as account information of web browsers (Chrome, Edge, Opera), cookies, and crypto-currency wallets. The following are the confirmed C&C servers.
- hxxp://185.234.247[.]148/
- hxxp://5.181.156[.]60/
- hxxp://5.252.179[.]21/
- hxxp://45.138.172[.]138/
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Statistics