ASEC Weekly Malware Statistics (September 20th, 2021 – September 26th, 2021)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 20th, 2021 (Monday) to September 26th, 2021 (Sunday).

For the main category, info-stealer ranked top with 56.3%, followed by Downloader with 30.1%, RAT (Remote Administration Tool) malware with 9.5%, CoinMiner with 2.2%, Ransomware with 1.7%, and backdoor malware with 0.3%.

Top 1 –  BeamWinHTTP

BeamWinHTTP is a downloader malware that ranked top with 29.5%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.

The confirmed C&C server URL is as follows.

  • cleaner-partners[.]biz
  • cleaner-partners[.]ltd

Top 2 – AgentTesla

AgentTesla was ranked second with 12.0%. It is an info-stealer malware that leaks user information saved in web browsers, e-mails, and FTP clients.

Recently collected samples use the following mail servers and user accounts when leaking the collected information.

  • smtp.northbey-medical[.]com
    sender : tom@northbey-medical[.]com
    receiver : tom@northbey-medical[.]com
    user : tom@northbey-medical[.]com
    pw : XR****A7
  • mail.priserveinfra[.]com
    sender : operations@priserveinfra[.]com
    receiver : operations@priserveinfra[.]com
    user : operations@priserveinfra[.]com
    pw : oppi****1019
  • apolloscreens[.]com
    sender : ssharma@apolloscreens[.]com
    receiver : morebillions08@yandex[.]com
    user : ssharma@apolloscreens[.]com
    pw : sshar****34#$

As most are distributed through spam mails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.

  • INV, BL, PL.exe
  • Shipping_Documents.exe
  • Bank_details.exe
  • Documents.exe
  • Purchase_order_No_7839.exe
  • Purchase_order.exe
  • PO.exe
  • PO.21090351_PDF.exe
  • PO_4500151298.exe
  • PO 9661051.exe
  • PO_166737.pdf.exe
  • HHM Industrial – PO44938.exe
  • Swift_6408372.exe
  • DOC.exe
  • New Order.exe
  • New purchase order____pdf.exe
  • ödeme makbuzu-iş bankası.PDF.exe

Top 3 – Formbook

Formbook is an info-stealer malware ranked third with 11.4%.

Like other info-stealer malware, it is mainly distributed through spam mails. The distributed file names are close to each other.

  • Final Estimate00338383923.exe
  • New Order Specifications Pdf.exe
  • SWIFT_Transfer_103_0034OTT21000123_8238174530.PDF.exe
  • Payment_Proof_pdf.exe
  • BL_INVOICE_DOCUMENTS,Shipping Documents_pdf__________________________________.exe
  • BL_INVOICE_DOCUMENTS documentos de envío-pdf___.exe
  • Quotation_pdf______________.exe
  • SBGW#001232021.exe
  • Quotation_-_Urgent.exe
  • Statement_of_Account.exe
  • quote_price_request.exe
  • product specifications.exe
  • LOI-september ending.exe
  • Urgent_Quote.exe
  • Orden de compra.exe
  • Quotation_&_Sample_Designs.PDF.exe
  • Pedido_de_productos.exe
  • NEW_ORDER_RE_PO88224.PDF.exe
  • jgc-0157 project rfp-s-0066.exe

As Formbook is injected in a normal process that is in the directory of explorer.exe and system32, the malicious behaviors are performed by the normal process. Besides user account information in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing. Below is the list of confirmed C&C server URLs of Formbook.

  • hxxp://www.gentciu[.]com/ajki/
  • hxxp://www.bulukx[.]com/ssee/
  • hxxp://www.bandiu[.]xyz/h2m4/
  • hxxp://www.ranbix[.]com/noha/
  • hxxp://www.tracks-clicks[.]com/gjeh/
  • hxxp://www.probinns[.]com/9gdg/
  • hxxp://www.cablinqee[.]com/tows/
  • hxxp://www.norllix[.]com/etaf/

Top 4 – CryptBot

CryptBot ranked fourth with 9.5%. This infostealer is downloaded through PUP programs and has features of stealing additional information and downloading additional malware.  

It is mainly distributed from phishing websites disguised as utility program download pages which are shown when searching certain keywords in Google.

The following are the confirmed C&C server URLs and additional malware download URLs of CryptBot.

  • C&C 1 : xokjtn31[.]top/index.php
    C&C 2 : morqjr03[.]top/index.php
    Download URL : diayco04[.]top/download.php?file=lv.exe
  • C&C 1 : duoohr71[.]top/index.php
    C&C 2 : morfev07[.]top/index.php
    Download URL : cazpfo10[.]top/download.php?file=lv.exe
  • C&C 1 : xokqny13[.]top/index.php
    C&C 2 : morlom01[.]top/index.php
    Download URL : diavoq01[.]top/download.php?file=lv.exe
  • C&C 1 : xokyet77[.]top/index.php
    C&C 2 : mordyf07[.]top/index.php
    Download URL : diawrg10[.]top/download.php?file=lv.exe
  • C&C 1 : bahnf34[.]top/index.php
    C&C 2 : morwhy03[.]top/index.php
    Download URL : akrvt04[.]top/download.php?file=lv.exe

The filenames distributed from phishing websites disguised as utility program download pages are as follows.

  • setup_x86_x64_install.exe
  • setup.exe
  • Main-Install-v4.9.exe
  • setupProv2.3.exe
  • Main-Install-v7.1.exe
  • Main-Install-v1.0.exe

Top 5 –  SnakeKeylogger

Taking fifth with 8.1%, SnakeKeylogger is an info-stealer type malware that leaks information such as user key inputs, system clipboards, and browser account information.

Like AgentTesla, this malware uses e-mail servers and user accounts when leaking collected information. The following is the accounts used by recently collected samples.

  • mail.faks-allied-health[.]com
    sender: info@faks-allied-health[.]com
    receiver: wealthmyson@yandex[.]com
    user: info@faks-allied-health[.]com
    pw: $Fa***234
  • smtp.hostinger[.]mx
    receiver: saleseuropower@yandex[.]com
    pw: 8HBJ***kOi3/7yB
  • smtp.aruscomext[.]com
    sender: sales@aruscomext[.]com
    receiver: sales@aruscomext[.]com
    user: sales@aruscomext[.]com
    pw: uE***)v7

Similar to other info-stealer malware, it is distributed through spam mails disguised as invoices, shipment documents, and purchase orders, so the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order).

  • Swift_6408372.exe
  • proforma_invoice_098756.exe
  • ABONOF2201.exe
  • PO_4500151298.exe
  • Quotation_-Scan001_No-_9300340731.doc.exe
  • price list..exe
  • PO09858.exe
  • new_order.exe
  • bank_in_slip.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Tagged as:

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments