ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023)

The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 26th, 2022 (Monday) to January 1st, 2023 (Sunday).

For the main category, downloader ranked top with 48.8%, followed by backdoor with 24.2%, Infostealer with 18.4%, CoinMiner with 4.8%, ransomware with 3.4%, and lastly banking malware with 0.5%.

Top 1 – SmokeLoader

SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits. This week, it ranked first place with 33.8%. Like other malware that is distributed via exploit kits, this malware also has a MalPe form.

When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to the C&C server, it can download additional modules or other malware strains. Additionally downloaded modules usually have Infostealer features, and explorer.exe (child process) is created and injects modules to operate.

For an analysis report related to Smoke Loader, refer to the ASEC Report below.

[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks

The confirmed C&C server URLs are as follows.

  • vatra[.]at/tmp
  • spbdg[.]ru/tmp
  • skinndia[.]com/tmp
  • cracker[.]biz/tmp
  • piratia-life[.]ru/tmp
  • piratia[.]su/tmp
  • potunulit[.]org
  • hutnilior[.]net
  • bulimu55t[.]net
  • soryytlic4[.]net
  • novanosa5org[.]org

Top 2 – Redline

RedLine malware ranked second place with 22.6%. The malware steals various information such as web browsers, FTP clients, cryptocurrency wallets, and PC settings. It can also download additional malware by receiving commands from the C&C server. Like BeamWinHTTP, there have been numerous cases of RedLine being distributed under the disguise of a software crack file.

The following are the confirmed C&C server domains for RedLine:

  • 45.15.156[.]155:80
  • 34.125.68[.]133:80
  • 159.223.106[.]156:81
  • 185.242.86[.]118:46875
  • 79.137.204[.]112:80

Top 3 – BeamWinHTTP

BeamWinHTTP is a downloader malware that ranked third place with 11.6%. The malware is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time.

The confirmed C&C server URL is as follows.

  • 45.139.105[.]171

Top 4 – Vidar

Vidar was ranked fourth place with 7.2%, and it is an Infostealer / downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a feature that can download additional malware.

As shown in the blogs below, spam mails are being sent periodically to Korean users, and its characteristic is that it exists with other ransomware within the compressed file attached to the spam mail.

Recently, certain game platforms are being abused to spread ransomware.

The following has explanations on Vidar’s info-leaking feature.

C&C URLs that were used during the period are the following.

  • hxxp://195.201.45[.]53/1707
  • hxxp://116.202.6[.]206/1707
  • hxxp://142.132.236[.]84/1515
  • hxxp://49.12.8[.]228/1839
  • hxxp://157.90.244[.]205/400
  • hxxp://116.202.4[.]70/634

Top 5 – Tofsee

This week, Tofsee was ranked fifth with 6.3%. Tofsee is a spambot malware that isn’t found in Korea but has been in constant distribution outside Korea for a long time. For reference, Tofsee has the same packer format as SmokeLoader, Vidar Infostealer, and Stop Ransomware, suggesting that it is installed through malware strains that are distributed from malicious websites disguised as download pages for cracks and keygens of commercial software.

Tofsee is a module-based malware that can receive commands from C&C servers after infecting the target system to install and use various modules. These modules include coin mining, account credential extortion, and DDoS attack.

The confirmed C&C server URLs are as follows.

  • svartalfheim[.]top:443
  • jotunheim[.]name:443

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.


Tagged as:

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments