ASEC Weekly Malware Statistics (July 11th, 2022 – July 17th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from July 11th, 2022 (Monday) to July 17th, 2022 (Sunday).

For the main category, info-stealer ranked top with 52.2%, followed by backdoor with 26.8%, downloader with 19.7%, banking with 0.6%, and ransomware with 0.6%.

Top 1 – AgentTesla

AgentTesla is an infostealer that ranked first place with 29.9%. It is an info-stealer that leaks user credentials saved in web browsers, emails, and FTP clients.

It uses e-mail to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.

• server : nbvqa[.]cam (192.185.37[.]183)
  sender : logs@nbvqa[.]cam
  receiver : asset@nbvqa[.]cam
  user : logs@nbvqa[.]cam
  pw : Wo******ce1
• server : activandalucia[.]com(185.162.171[.]75)
  sender : marketing9@activandalucia[.]com
  receiver : sales9@activandalucia[.]com
  user : marketing9@activandalucia[.]com
  pw : i***123456789@$
• server : alpitour[.]ro (195.24.236[.]35)
  sender : office@alpitour[.]ro
  receiver : salespcbcom@gmail[.]com
  user : office@alpitour[.]ro
  pw : R*****2004

As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.

• DFDocumentsB2F.exe
• E700 quotation20111209.exe
• INVOICE30843221.PDF.exe
• Order-0003388657344498755655645.exe
• Payment Confirmation 409991_pdf.exe
• presupuesto20111209_xls.exe
• Proof of funds.exe
• Scan_0100000008192-07-13-2022.Pdf.exe
• SM – 00060 pdf.exe
• Swift – 70,990.00 – 220070.exe
• WSL_0398763543563-334536.exe

Top 2 – GuLoader

GuLoader, which ranked second place with 17.2%, is a downloader malware that downloads additional malware and runs it. It was packed with Visual Basic language in the past to avoid detection, but is now distributed in a form of NSIS installer. It used to be known as CloudEye, but got a name GuLoader because Google Drive is frequently used as a download URL. In addition to Google Drive, various URLs such as One Drive from Microsoft can also be used.

• hxxp://103.170.254[.]140/ori4_uZwAB92.bin
• hxxp://37.0.8[.]96/ori4_BbyzQsh88.bin
• hxxp://64.44.168[.]209/bin_eQRRH224.bin
• hxxps://alex5jewelry[.]com/UGOB_shEAWmYFg144.bin
• hxxps://drive.google[.]com/uc?export=download&id=1boB-fQiskxlObFjquuzE6RGT4R3me8M5
• hxxps://drive.google[.]com/uc?export=download&id=1E6uppfq60DUD1gKiTUXeaA7fjCL_DztZ
• hxxps://drive.google[.]com/uc?export=download&id=1zLnu1oI79DQnLFU9Smc2U9ROLws-QWyD
• hxxps://toucklock[.]com/FRANCIS_gOVmkcYIun138.bin

Instead of being downloaded in a file form, GuLoader is downloaded on memory to avoid detection, and the downloaded file is in encoded format, not in PE. It then runs after decoding in the memory, downloading malware such as infostealer (Formbook, AgentTesla) and RAT (Remcos, NanoCore).

As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order). Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.

• DataRequestList_20200429_1.exe
• Order Request Wardrey Premise.exe
• Comprobante_de_pago_4PO873516721_pdf.exe
• BBVA-Confirming Factura.exe
• Norske Antagonismers.exe
• Oktavers.com
• PRUEBA DE PAGO.exe
• Skewers9.exe

Top 3 – Formbook

Formbook ranked third place with 12.1%.

Like other info-stealer, Formbook is mainly distributed through spam emails. The distributed file names are close to each other.

• Packing list.exe
• bc3.exe
• PO-15402-GEMILANGEO_13072022.exe
• RE CPIC ABAHSAIN FIBERGLASS.exe
• PAYMENT ADVICE.exe

As Formbook is injected into two normal processes (one is a running explorer.exe process and the other in system32 directory), the malicious behaviors are performed by these normal processes. Besides user credentials in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.

Below is the list of confirmed C&C server URLs of Formbook.

• hxxp://www.hand-oo[.]xyz/w21s/
• hxxp://www.sueaho24[.]xyz/ksy2/
• hxxp://www.nusires[.]com/mt88/
• hxxp://www.shermans8[.]com/4cgj/
• hxxp://www.momentums6[.]com/tn61/
• hxxp://www.fixthecosts[.]com/mnhg/
• hxxp://www.ninoxins[.]com/9j9n/
• hxxp://www.bestselectrics[.]com/h9t0/

Top 4 – NanoCore 

This week, NanoCore ranked fourth place with 7.6%. It is a RAT malware developed with .NET. Like njRAT, it can perform various commands given by the attacker such as information leakage including keylogging.

Similar to AgentTesla, Formbook, AveMaria, and Remcos, the NanoCore is packed with .NET packer and distributed through attached files in spam emails. As such, the file names reported are not much different from those of other malware distributed through spam emails.

• J9oGg3o0PDx1GFc.exe
• 7fvPPAUC8dibneE.exe
• aff7c3.exe
• B79LCfym03BACbW.exe

The following list is the confirmed C&C server domains for NanoCore.

• fastspeed.ddnsfree[.]com
• lowaspeed.ddnsfree[.]com
• 411speed.duckdns[.]org

Top 5 – Lokibot

Lokibot malware ranked fifth place with 6.4%. It is an info-stealer that leaks information about programs such as web browsers, email clients, and FTP clients.

Being a malware that is distributed through spam emails, it shares similar file names with other malware spam emails.

• MSBuild.exe
• cvtres.exe
• svchost.exe
• notepad++.exe

As shown below, most Lokibot C&C server URLs tend to end in fre.php.

• 98.187.30[.]47/p.php?id=16543535265942912
• 198.187.30[.]47/p.php?id=48782731967809308
• 45.133.1[.]45/perez1/five/fre.php
• 198.187.30[.]47/p.php?id=10316882234268616
• sempersim[.]su/gh20/fre.php
• sempersim[.]su/gh23/fre.php
• indrageet[.]top/five/fre.php
• sempersim[.]su/gf20/fre.php
• 198.187.30[.]47/p.php?id=19957150644816880
• ttloki[.]us/xz/ee/ttf.php
• sempersim[.]su/gh20/fre.php
• 198.187.30[.]47/p.php?id=22289002125658625
• 198.187.30[.]47/p.php?id=16543535265942912
• 198.187.30[.]47/p.php?id=6280950461217531
• 185.102.170[.]20/demo/fre.php
• 45.133.1[.]45/health5/five/fre.php
• 198.187.30[.]47/p.php?id=17414649419491256
• 62.197.136[.]176/health4/five/fre.php
• 185.102.170[.]20/demo/fre.php
• qtd8gcdoplav737wretjqmaiy[.]tk/pato/fre.php
• pvcfloorco[.]com/Panel/five/fre.php
• sempersim[.]su/gh20/fre.php
• 198.187.30[.]47/p.php?id=22289002125658625
• gracetime[.]tech/cyber/tech/coded/fre.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.