The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 7th, 2022 (Monday) to November 13th (Sunday).
For the main category, downloader ranked top with 37.8%, followed by Infostealer with 27.1%, banking malware with 22.9%, backdoor with 11.2%, ransomware with 0.5%, and CoinMiner with 0.5%.
Top 1 – Emotet
Emotet which has resurfaced after six months ranked first place with 22.9%. Emotet is a typical banking malware that is distributed as an attachment to spam mails. After it had been incapacitated through global collaborative efforts, no traces of its activities were found in the last six months. However, it has started propagating itself again since November 2022.
When Emotet is installed, it resides in the system and periodically attempts connecting with the C&C server. This malware can receive additional modules or malware from the C&C server to install them. Additional modules include user info-stealing modules that steal information such as web browser and e-mail credentials, and propagation module that spreads via shared folders. Qakbot and Trickbot are some of the banking malware that are downloaded via Emotet, and it has recently been found that IcedID banking malware is also being installed.
Top 2 – AgentTesla
AgentTesla is an Infostealer that ranked second place with 13.8%. It leaks user credentials saved in web browsers, emails, and FTP clients.
Although it uses emails (a.k.a. SMTP protocol) to leak collected information, there are samples that used FTP or Discord API. The C&C information of recently collected samples is as follows.
- FTP Server : ftp://ftp.valvulasthermovalve[.]cl/
User : email@example.com
Password : LI***L14!!
- SMTP Server : mail.kulanitech.co[.]za
User : firstname.lastname@example.org
Password : Le***0!
Receiver : email@example.com
- SMTP Server : mail.vrgenergy.com
User : firstname.lastname@example.org
Password : M***hy*5VD
Receiver : email@example.com
As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.
- OFFER – RPG 799902113840_pdf.exe
- Attachment New-Order20221108.exe
- ICMES-JIF-11-022 G1.exe
- BL Draft Copy.exe
Top 3 – SmokeLoader
SmokeLoader is an infostealer/downloader malware that is distributed via exploit kits. This week, it ranked third place with 10.7%. Like other malware that is distributed via exploit kits, this malware also has a MalPe form.
When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to the C&C server, it can download additional modules or other malware strains. Additionally downloaded modules usually have infostealer features, and explorer.exe (child process) is created and injects modules to operate.
For an analysis report related to Smoke Loader, refer to the ASEC Report below.
[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks
The confirmed C&C server URLs are as follows.
Top 4 – Amadey
This week, Amadey Bot ranked fourth place with 10.2%. Amadey is a downloader that can receive commands from the attacker to download additional malware, and when info-stealing modules are used, it can collect user credentials in the infected system.
Usually, Amadey is installed by SmokeLoader which is distributed in the disguise of normal programs and crack malware. In the recent days, however, Amadey is being distributed to corporate users through malicious document files attached to spam mails and being used to install LockBit ransomware.
The confirmed C&C server URLs are as follows.
Top 5 – GuLoader
GuLoader, which ranked fifth place with 8.6%, is a downloader malware that downloads additional malware and runs it. It was packed with Visual Basic language in the past to bypass detection, but it is now distributed in a form of an NSIS installer. It used to be known as CloudEye but got the name GuLoader because Google Drive is frequently used as a download URL. In addition to Google Drive, various URLs such as One Drive from Microsoft can also be used.
Instead of being downloaded in a file form, GuLoader is downloaded on memory to avoid detection, and the downloaded file is encoded, not PE. It is then executed after being decoded in the memory, downloading malware such as infostealer (Formbook and AgentTesla) and RAT (Remcos and NanoCore).
As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.
- documentos DHL.exe
- Orden de compra #S045678.exe
- INQUIRY 001-904940.scr
- PENTHOUSE BRIDGE GENOA.exe
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.