Posted By ,

ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022)

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday).

For the main category, Infostealer ranked top with 43.2%, followed by downloader with 34.7%, backdoor with 19.4%, and ransomware with 2.2%.

Top 1 – Agent Tesla

AgentTesla is an Infostealer that ranked first place with 22.1%. It is an Infostaler that leaks user credentials saved in web browsers, emails, and FTP clients.

How AgentTesla Malware is Being Distributed in Korea

It uses e-mail (SMTP) to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.

  • server : mail.mktron[.]in (104.156.54[.]11)
    sender : stamping.quality2@mktron[.]in
    receiver : zakirrome@ostdubai[.]com
    user : stamping.quality2@mktron[.]in
    pw : zNvK*****UXb
  • server : mail.dmstech[.]in (104.156.54[.]11)
    sender : sanjeev@dmstech[.]in
    receiver : zakirrome@ostdubai[.]com
    user : sanjeev@dmstech[.]in
    pw : 0]6F*****qfd
  • server : mail.kidobd[.]com (88.198.58[.]26)
    sender : jahangir@kidobd[.]com
    receiver : info@ledcenter[.]by
    user : jahangir@kidobd[.]com
    pw : @dm****do

As most are distributed through spam mails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.

  • 000001_Quote_2200001612.exe
  • SWIFT MT103 86258992. pdf.exe
  • Orden de compra #PO06709.exe
  • Purchase order submitted for approval PO-00091 26102022.exe
  • 10556-Transferencia 3795770002016742.exe
  • 10556-Transfer 3795770002016742.exe
  • +++Offer-Proforma – CHTPUP SERVIS-MEASURE – 22-011-000021.exe
  • P.O. BFL-007756.exe
  • Orden de compra #PO06709.exe

Top 2 – BeamWinHTTP

BeamWinHTTP is a downloader malware that ranked second with 21.6%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner, and can download and install additional malware at the same time.

Malware Being Sneakily Installed in My PC-BeamWinHTTP Malware

The confirmed C&C server URL is as follows.

  • 45.139.105[.]171/itsnotmalware/count.php
  • ggg-cl.biz/stats/1[.]php
  • ggg-cl.biz/check[.]php
  • ggg-cl.biz/stats/save[.]php
  • 45.9.20.13/partner/loot[.]php
  • kokoko-24.online/api/tracemap[.]php
  • 45.15.156.54/itsnotmalware/count[.]PHP

Top 3 – Smokeloader

Smokeloader is an Infostealer / downloader that is distributed via exploit kits. This week, it ranked third place with 8.7%. Like other malware that is distributed via exploit kits, this malware also has MalPe form. 

When executed, it injects itself to explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to C&C server, it can either download additional module, or download another malware. Additionally downloaded malware usually has a feature of Infostealer, and explorer.exe (child process) is created and injects module to operate.

Smoke Loader is an Infostaler / downloader that ranked fifth place with 6.6%. For an analysis report related to Smoke Loader, refer to the ASEC Report below.

[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks

The confirmed C&C server URLs are as follows.

  • bururutu44org[.]org
  • guluiiiimnstra[.]net
  • furubujjul[.]net
  • gulutina49org[.]org
  • hulimudulinu[.]net
  • liubertiyyyul[.]net
  • nuluitnulo[.]me
  • nvulukuluir[.]net
  • stalnnuytyt[.]org
  • youyouumenia5[.]org
  • o339ku32b3yk26[.]com
  • o36fafs3sn6xou[.]com

Another malware can be downloaded from outside by using C&C server, and currently confirmed malware strains are Dharma and Lockbit ransomware.

Top 4 – Tofsee

Tofsee is a backdoor that ranked fourth with 8.7%. Tofsee is malware that is mostly distributed via exploit kit and accesses C&C to download additional malicious modules with features such as mining, spam mail, and DDoS.

The confirmed C&C server URL is as follows.

  • hxxps://svartalfheim[.]top

Top 5 – Lokibot

Lokibot malware ranked fifth place with 7.5%. It is an Infostealer that leaks information about programs such as web browsers, email clients, and FTP clients.

Lokibot is at it Again, This Time Spreading via Purchase Order

The following is a list of the most C&C servers for the malware.

  • iklok.us/SA/L/girl[.]php
  • iklok.us/SA/L/wl[.]php
  • legalpath.in/cc/Panel/fre[.]php
  • retrak.co.ke/psy/five/fre[.]php
  • sempersim.su/gk22/fre[.]php
  • sempersim.su/gl1/fre[.]php
  • sempersim.su/gl4/fre[.]php
  • sempersim.su/gl9/fre[.]php
  • sempersim.su/gl9/fre[.]php
  • tagveam.ml/ment/form/fre[.]php
  • wexno.us/ho/sk/dancex[.]PHP

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Statistics

Tagged as:,

5 1 vote
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments