ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022)

The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 28th, 2022 (Monday) to December 4th, 2022 (Sunday).

For the main category, Infostealer ranked top with 34.8%, followed by downloader with 28.2%, backdoor with 21.1%, ransomware with 14.6%, and CoinMiner with 0.3%.

Top 1 – SmokeLoader

SmokeLoader is an infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with 14.9%. Like other malware that is distributed via exploit kits, this malware also has a MalPe form.

When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to the C&C server, it can download additional modules or other malware strains. Additionally downloaded modules usually have infostealer features, and explorer.exe (child process) is created and injects modules to operate.

For an analysis report related to Smoke Loader, refer to the ASEC Report below.

[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks

The confirmed C&C server URLs are as follows.

• akmedia[.]in/js/k/index.php
• bethesdaserukam[.]org/setting/k/index.php
• stemschools[.]in/js/k/index.php
• dejarestaurant[.]com/wp-admin/js/k/index.php
• moabscript[.]ir/wp-admin/js/k/index.php
• nicehybridseeds[.]com/image/catalog/k/index.php
• imaker[.]io/picktail/js/k/index.php
• nanavatisworld[.]com/assets/js/k/index.php
• smartbubox[.]com/img/k/index.php
• krigenpharmaceuticals[.]com/js/k/index.php

Top 2 – AgentTesla

AgentTesla is an Infostealer that ranked second place with 14.6%. It leaks user credentials saved in web browsers, emails, and FTP clients.

Although it uses emails (a.k.a. SMTP protocol) to leak collected information, there are samples that used FTP or Telegram API. The C&C information of recently collected samples is as follows.

• Telegram API : hxxps://api.telegram[.]org/bot5453942321:AAF6CS9julQ6K7s5pxacNALwWJ2A52D0EC4/sendDocument
• SMTP Server : host39.registrar-servers.com
  User : kingsly@potashin.us
  Password : 2r^1o***QV
  Receiver : kingsly@potashin.us
• SMTP Server : mail.rimiapparelsltd.com
  User : esoto@rimiapparelsltd.com
  Password : Ev***0@
  Receiver : daconic@rimiapparelsltd.com
• SMTP Server : mail.nec-eg.com
  User : sales5@nec-eg.com
  Password : #i!N***12
  Receiver : nelsonpacavira01@gmail.com

As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.

• AWB#5401214457_Nov. 2022.exe
• dvswiftsend_3011202234513_931079122 .pdf.exe
• FACTURE PROFORMA GIZ DU 30 AU-2022-OCWAR-T.exe
• new order.exe
• Payment copy of Euro 90,162.57.exe
• PO 221001.PDF (Panvertex. Private Ltd. Trading Company Limited) Signed Copy.exe
• PO#28135 – 裕偉.exe
• RFQ_$CIF& Ex RCI Spain.exe

Top 3 – Stop

Stop is a ransomware that is usually distributed through exploit kits and cracks. This week, it ranked third place with 14.1%. Just like SmokeLoader and Vidar, Stop has a MalPe form, and it is known for having a feature to download certain malware before encrypting the target files. Threat actors who use this ransomware typically install Vidar Infostealer to steal information of the infected system, then encrypt the user files.

Stop Ransomware connects to a C&C server before downloading a public key for encryption. If the connection fails, it uses the public key that is included in the binary. The recently identified C&C servers of Stop Ransomware are as follows.

• hxxp://fresherlights[.]com/lancer/get.php
• hxxp://fresherlights[.]com/test1/get.php

In addition to the C&C servers, Stop also has URLs to download additional malware, which includes Vidar Infostealer and ClipBanker.

• hxxp://fresherlights[.]com/files/1/build3.exe
• hxxp://uaery[.]top/dl/build2.exe

Top 4 – Vidar

Vidar was ranked fourth place with 13.3%, and it is an Infostealer / downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a distinctive feature that can download additional malware.

Stop Ransomware operators have steadily been using Vidar; Before using Stop to encrypt files, the operators install Vidar to steal information.

The following has explanations on Vidar’s info-leaking feature.

C&C URLs that were used during the period are the following.

• hxxp://195.201.45[.]53/1375
• hxxp://195.201.45[.]53/517
• hxxp://88.198.77[.]204/1148
• hxxp://88.198.77[.]204/517
• hxxp://95.217.29[.]31/517

Top 5 – RedLine

RedLine ranked fifth place with 8.3%. This malware steals various information such as web browsers, FTP clients, cryptocurrency wallets, and PC settings. It can also download additional malware by receiving commands from the C&C server. Like BeamWinHTTP, there have been numerous cases of RedLine being distributed under the disguise of a software crack file.

The following are the confirmed C&C server domains for RedLine:

• 194.36.177[.]60:81
• 45.138.74[.]121:80
• 193.47.61[.]7:42774
• 79.137.204[.]112:80
• 49.12.189[.]93:81
• 45.15.156[.]155:80

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.