Threat Research

ASEC Weekly Malware Statistics (May 1st, 2023 – May 7th, 2023) – ASEC BLOG

Securonix

ASEC’s RAPIT weekly analysis covers malware statistics from May 1–7, 2023, showing infostealers as the top category and AgentTesla leading the threat landscape. It details the main families (AgentTesla, Formbook, Amadey, GuLoader, Lokibot), their distribution, infection vectors, and C2 infrastructure. #AgentTesla #Formbook #Amadey #GuLoader #Lokibot #AhnLab #RAPIT

Keypoints

  • Timeframe of the weekly stats: May 1, 2023 (Monday) to May 7, 2023 (Sunday).
  • Main category distribution: Infostealer 60.6%, Downloader 27.3%, Backdoor 9.1%, Ransomware 3.0%.
  • Top malware: AgentTesla leads with 25.8% and specializes in stealing credentials from browsers, emails, and FTP clients.
  • Formbook ranks second at 20.5%, distributed via spam and capable of keylogging, clipboard grabbing, and web browser form grabbing.
  • Amadey is third at 17.4%, a downloader that can fetch additional malware and is used to install other families (e.g., LockBit) via spam/document delivery.
  • GuLoader ranks fourth at 9.8%, a downloader that operates in memory, downloads payloads (Infostealers and RATs), and uses multiple download URLs (including Google Drive/OneDrive/Discord).
  • Lokibot is fifth at 6.8%, an infostealer that leaks credentials for browsers, email clients, and FTP clients and is spread via spam with targeted file names.

MITRE Techniques

  • [T1555.003] Credentials in Web Browser – AgentTesla leaks user credentials saved in web browsers, emails, and FTP clients. “It leaks user credentials saved in web browsers, emails, and FTP clients.”
  • [T1056.001] Keylogging – Formbook is injected into normal processes and can steal information via keylogging, with additional capabilities like clipboard grabbing and form grabbing. “When Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32), the malicious behaviors are performed by these normal processes. Besides user credentials in the web browser, the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.”
  • [T1115] Clipboard Data – Formbook steals clipboard data as part of its data exfiltration.
  • [T1056.003] Web Form Grabbing – Formbook captures data entered into web forms in browsers. “web browser form grabbing.”
  • [T1071.001] Web Protocols – Formbook communicates with confirmed C2 server URLs, illustrating control over C2 channels via web protocols. “Below is the list of confirmed C&C server URLs of Formbook.”
  • [T1027] Obfuscated/Encoded Files and Information – GuLoader downloads payloads encoded, not PE, and decodes in memory before execution. “the downloaded file is encoded, not PE. It is then executed after being decoded in the memory.”
  • [T1105] Ingress Tool Transfer – GuLoader downloads additional malware (Infostealers and RATs) during execution. “downloading malware such as Infostealers (Formbook and AgentTesla) and RAT (Remcos and NanoCore).”
  • [T1036] Masquerading – Lokibot files are named with malware-like disguises, reflecting spam email-laden file naming tactics. “Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg.”
  • [T1071.001] Web Protocols – Lokibot C2 endpoints use web routes ending in fre.php, indicating Web Protocols for C2. “Lokibot C&C server URLs tend to end in fre.php.”

Indicators of Compromise

  • [Domain] C2 and malicious infrastructure – traindic.top, xysklhgf.xyz, and 2 more domains (Formbook C2 URLs).
  • [Domain] Additional malware domains – vouchshow.xyz, dwkapl.xyz, anrovlp.xyz, profitz.live, clasmi v.xyz, he zop.xyz, breqx.online, uyruio.xyz, merxip.online, tomart.live, cusmose.com, tugrow.top, opuspring.xyz, payshop.life, stufshop.life, ascents.info, ziplapse.xyz, bakerous.xyz, and 2 more domains.
  • [IP] C2/hosting IPs – 104.156.227.195, 185.246.220.85, and 6 more IPs (related to Lokibot/Formbook infrastructure).
  • [IP] Additional C2 endpoints – 171.22.30.147, 185.246.220.60, 77.91.124.207, 77.91.124.20, 212.113.119.255, 45.137.22.248, 194.59.218.151, 156.96.113.118.
  • [File name] Sample file names used in campaigns – 210763497664-030339-sanlccjavap0003-1.pdf.exe, Scan_4195921_102396.exe, Lplanters Paralleluniversers.exe, Zoologens Lsningen.exe, Trianguleredes.exe, 7120820_INTRACO.exe (Lokibot/GuLoader/Formbook spam distribution).
  • [URL] C2/download URLs – hxxp://specialblue.in/df30hn4m/index.php, hxxp://77.91.124.20/store/games/index.php, hxxp://www.traindic.top/hpb7/, hxxp://www.xysklhgf.xyz/ae30/ (Formbook-related URLs).

Read more: https://asec.ahnlab.com/en/52488/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint