The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known threats. This post will list weekly statistics collected from August 9th, 2021 (Monday) to August 15th, 2021 (Sunday).
For the main category, Infostealer ranked top with 66.6%, followed by RAT (Remote Administration Tool) malware with 21.3%, Downloader and CoinMiner with 5.3%, Ransomware with 1.4%, and banking malware with 1.3%.
Top 1 – Vidar
Vidar was ranked first place with 13.6%. It is an infostealer / downloader malware. Vidar not only steals information from web browser, FTP, cryptocurrency wallet address, and screenshot, but also downloads additional malware.
As shown in the blogs below, spam mails are being sent periodically to Korean users, and its characteristic is that it exists with other ransomware within the compressed file attached to the spam mail.
Recently, certain game platforms are being abused to spread ransomware.
The following has explanations on Vidar’s info-leaking feature.
C&C URLs that were used during the period are the following.
Top 2 – RedLine
RedLine ranked second with 13.4%. The threat steals various information from web browser, FTP client, cryptocurrency wallet, and PC settings. It can also download additional malware by receiving commands from the C&C server.
The following are the confirmed C&C server domains for RedLine:
Top 3 – AgentTesla
AgentTesla was ranked third place with 12.3%. It is an Infostealer that leaks user information saved in web browsers, e-mails, and FTP clients.
Recently collected samples use the following mail servers and user accounts when leaking the collected information.
- smtp.gmail[.]com (173.194.76[.]108)
sender : aalahajirazak.ibrahim@gmail[.]com
receiver : aalahajirazak.ibrahim@gmail[.]com
user : aalahajirazak.ibrahim@gmail[.]com
pw : sontcehkw***wuqj
- serv-10708.handsonwebhosting[.]com (107.152.108[.]114)
sender : emma@multillantaszl[.]com
receiver : emma@multillantaszl[.]com
user : emma@multillantaszl[.]com
pw : icui4***@@
- mail.karanex[.]com (185.8.128[.]141)
sender : sales@karanex[.]com
receiver : sales@karanex[.]com
user : sales@karanex[.]com
pw : roz%***3
As most are distributed through spam mails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.
- Reconfirm payment invoice #Order396541.exe
- WTR BFV 156 -Rev4.exe
- Supply Damages&TT_pay swift.exe
- Pulley Specification.exe
Top 4 – Formbook
Formbook is an Infostealer ranked fourth place with 8.2%.
Like other Infostealers, it is mainly distributed through spam mails. The distributed file names are close to each other.
- SOA invoice.exe
- CATALOG & ORDER LIST.Pdf.exe
As Formbook is injected in a normal process that is in the directory of explorer.exe and system32, the malicious behaviors are performed by the normal process. Besides user account information in the web browser, the threat can steal various information through keylogging, clipboard grabbing, and web browser form grabbing. Below is the list of confirmed C&C server URLs of Formbook.
Top 5 – Smoke Loader
Smoke Loader is an infostealer / downloader that ranked fifth place with 7.2%. For analysis report related to Smoke Loader, refer to the ASEC Report below.
The confirmed C&C server URLs are as follows.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.