The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday).
For the main category, downloader ranked top with 45.0%, followed by info-stealer with 39.6%, backdoor with 14.6%, ransomware with 0.4%, and CoinMiner with 0.4%.
Top1. SmokeLoader
Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place with 22.1%. Like other malware that is distributed via exploit kits, this malware also has MalPe form.
When executed, it injects itself to explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to C&C server, it can either download additional module, or download another malware. Additionally downloaded malware usually has a feature of infostealer, and explorer.exe (child process) is created and injects module to operate.
For an analysis report related to Smoke Loader, refer to the ASEC Report below.
[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks
The confirmed C&C server URLs are as follows.
- nvulukuluir[.]net
- gulutina49org[.]org
- hulimudulinu[.]net
- stalnnuytyt[.]org
- nuluitnulo[.]me
- youyouumenia5[.]org
- guluiiiimnstra[.]net
Top2. AgentTesla
AgentTesla is an infostealer that ranked second place with 20.4%. It is an info-stealer that leaks user credentials saved in web browsers, emails, and FTP clients.
It uses e-mail to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.
- server : mail.epicenterafrica[.]com
sender : silvester.atuta@epicenterafrica[.]com
receiver : silvester.atuta@epicenterafrica[.]com
user : silvester.atuta@epicenterafrica[.]com
pw : as0******xkY - server : mail.rimiapparelsltd[.]com
sender : postmaster@rimiapparelsltd[.]com
receiver : webmaster@rimiapparelsltd[.]com
user : postmaster@rimiapparelsltd[.]com
pw : Ije*****8@ - server : microempaquescali[.]com
sender : investor@microempaquescali[.]com
receiver : investoryandex@microempaquescali[.]com
user : investor@microempaquescali[.]com
pw : icu******@
As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.
- comprobante009.xlsx.exe
- order jmg.exe
- doc2345689965624_PDF.exe
- information01.exe
- R1 UAE for Saudi Recovery project.pdf.exe
- Payment Advice.exe
Top3. BeamWinHTTP
BeamWinHTTP is a downloader malware that ranked third place with 19.2%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.
The confirmed C&C server URL is as follows.
- 95.214.24[.]96/load.php?pub=mixinte
- 208.67.104[.]97/powfhxhxcjzx/ping.php?sub=/mixtwo&stream=mixone&substream=mixazed
- 212.192.246[.]217/access.php?sub=NOSUB&stream=mix&substream=mixtwo
- goldenchests[.]com/checkversion.php?source=MIX2h1
Top4. SnakeKeylogger
Taking fourth with 7.9%, SnakeKeylogger is an info-stealer type malware that leaks information such as user key inputs, system clipboards, and browser account information.
Like AgentTesla, this malware uses e-mail servers and user accounts when leaking collected information. The following is the accounts used by recently collected samples.
- server : us2.smtp.mailhostbox[.]com
sender : monni@great-timecomess[.]com
receiver : monni@great-timecomess[.]com
pw : oc****T6 - server : us2.smtp.mailhostbox[.]com
sender : smadar.joseph@almalasers-il[.]com
receiver : smadar.joseph@almalasers-il[.]com
pw : do*****0
Similar to other info-stealer malware, it is distributed through spam mails disguised as invoices, shipment documents, and purchase orders, so the file names contain such words shown above (Invoice, Shipment, P.O. – Purchase Order).
- WriN.exe
- dls.exe
- QuizGame.exe
- Calculator 1.5.exe
Top5. Remcos
This week, Remcos ranked fifth place with 7.1%. Remcos is a RAT malware that carries out various commands given by the attacker such as keylogging and information leaking.
Remcos is packed with a .NET packer and is distributed as attachments to spam emails, just like AgentTesla, Formbook, and NanoCore. Recently, there are some cases where it got distributed after disguising itself as a certain tool.
The confirmed C&C server URLs of Remcos are as follows.
- hxxp://80.66.75[.]90/Vnmqugfh.bmp
- hxxp://geoplugin[.]net/json.gp
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Statistics