ASEC Weekly Malware Statistics (September 19th, 2022 – September 25th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 19th, 2022 (Monday) to September 25th, 2022 (Sunday).

For the main category, info-stealer ranked top with 51.3%, followed by backdoor with 21.1%, downloader with 17.2%, and ransomware with 10.3%.

Top 1 – Agent Tesla

AgentTesla is an infostealer that ranked first place with 20.7%. It is an info-stealer that leaks user credentials saved in web browsers, emails, and FTP clients.

It uses e-mail to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.

  • server : mail.kenchez[.]com (103.14.121[.]240)
    sender : operations@kenchez[.]com
    receiver : hr-msa@ammarrpp[.]com
    user : operations@kenchez[.]com
    pw : a***#
  • server : mail.pisc[.]lk (108.170.60[.]107)
    sender : sales@pisc[.]lk
    receiver : decencykelvin4@gmail[.]com
    user : sales@pisc[.]lk
    pw : PI***21
  • server : mail.jaromaxpalacehotel[.]com (23.106.236[.]210)
    sender : gm@jaromaxpalacehotel[.]com
    receiver : linklogs135@gmail[.]com
    user : gm@jaromaxpalacehotel[.]com
    pw : 20***ax#

As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.

  • purchase order.exe
  • ORDER_#SEP.19.2022.exe
  • Bank_payment_swift_message.exe
  • Contract_for_ETS-_2022.exe
  • po#35611-m.exe
  • TT_payment.exe
  • Offer No. 22-PL-0765-A_PDF.exe
  • Commercial_invoice-AD1-2001028L.exe
  • Quotation-no. 2210993 AN.exe
  • payment.exe
  • New_Inquiry.exe
  • Bank payment swift message.exe
  • PO 4560132262.exe
  • Swift- 220070.exe
  • commercial invoice-AD1-2001028L.exe
  • Order 84882_xlsx.exe

Top 2 – Vidar

Vidar was ranked second place with 9.9%. It is an infostealer or downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a feature that can download additional malware.

As shown in the blogs below, Vidar is distributed through spam emails as a malicious attachment, which also contains other ransomware, and sent periodically to Korean users.

Recently, certain game platforms are being abused to spread ransomware.

The following has explanations on Vidar’s info-leaking feature.

C&C URLs that were used during the period are the following.

  • hxxp://acacaca[.]org/test3/get.php
  • hxxp://winnlinne[.]com/test3/get.php
  • hxxp://195.201.253[.]5/1515
  • hxxp://79.124.78[.]206/517
  • hxxp://116.203.7[.]175/915

Top 3 – Stop Ransomware

Stop ransomware ranked third place with 9.5%. It is malware that is distributed mainly using exploit kit. This malware encrypts certain files in user PCs. It has been distributed in various forms since the past. The recently distributed samples perform ransomware behavior by installing Vidar, which is an infostealer.

The following is the C&C server URLs of Stop ransomware.

  • hxxp://acacaca[.]org/files/1/build3.exe
  • hxxp://winnlinne[.]com/files/1/build3.exe
  • hxxp://tzgl[.]org/files/1/build3.exe
  • hxxp://rgyui[.]top/dl/build2.exe

Top 4 – SnakeKeylogger

Taking the fourth place with 9.1%, SnakeKeylogger is an info-stealer type malware that leaks information such as user key inputs, system clipboards, and browser account information.

Like AgentTesla, this malware uses e-mail servers and user accounts when leaking collected information. The following are the accounts used by recently collected samples.

  • host : us2.smtp.mailhostbox[.]com (208.91.199[.]225)
    sender: exp@jaiqroup[.]com
    receiver: exp@jaiqroup[.]com
    user: exp@jaiqroup[.]com
    pw: Chel*****22
  • host : us2.smtp.mailhostbox[.]com (208.91.199[.]225)
    sender: support@habitatbreks[.]org
    receiver: support@habitatbreks[.]org
    user: support@habitatbreks[.]org
    pw: I(K****G8

Top 5 – Smokeloader

Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, Smokeloader ranked fifth place with 8.6%. Like other malware that is distributed via exploit kits, this malware also has MalPe form. 

When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to C&C server, it can either download additional module or another malware. Additionally downloaded malware usually has a feature of infostealer, and explorer.exe (child process) is created and injects a module to operate.

Smoke Loader is an info-stealer / downloader malware that ranked fifth place with 6.6%. For an analysis report related to Smoke Loader, refer to the ASEC Report below.

[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks

The confirmed C&C server URLs are as follows.

  • liubertiyyyul[.]net
  • bururutu44org[.]org
  • youyouumenia5[.]org
  • nvulukuluir[.]net
  • nuluitnulo[.]me
  • guluiiiimnstra[.]net

Another malware can be downloaded from outside by using C&C server, and currently confirmed malware strains are Dharma and Lockbit ransomwares.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Tagged as:,

0 0 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments