Threat Research

ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022) – ASEC BLOG

Securonix

The ASEC weekly malware statistics summarize the top families by distribution from November 21–27, 2022, led by AgentTesla and SmokeLoader. The post also details their command-and-control infrastructure and common disguise techniques such as invoices and purchase orders to spread malicious samples.

Read more: https://asec.ahnlab.com/en/43255/
#AgentTesla #SmokeLoader #BeamWinHTTP #Amadey #RedLine #AhnLab #RAPIT

Keypoints

  • AgentTesla ranked Top 1 as an Infostealer; it leaks credentials saved in web browsers, emails, and FTP clients.
  • Most distribution is via spam emails disguised as invoices, shipment documents, and purchase orders with file names like Invoice_pdf.exe or INVOICE_.EXE.
  • SmokeLoader ranked Top 2, distributed via exploit kits and often using a MalPe form, then injects into explorer.exe to stage additional modules.
  • BeamWinHTTP ranked Top 3 and is a downloader that installs PUPs and can download additional malware from multiple C2 endpoints.
  • Amadey ranked Top 4 as a downloader capable of receiving commands to fetch more malware, often bundled with spam or corporate-themed attachments.
  • RedLine ranked Top 5 as an information stealer that can also download more malware via C2 commands, commonly distributed as cracked software.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Used to distribute samples through spam emails disguised as invoices, shipment documents, and purchase orders. “Most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders. The file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.”
  • [T1555.003] Credentials from Web Browsers – AgentTesla leaks user credentials saved in web browsers, emails, and FTP clients. “AgentTesla is an Infostealer that ranked first place with 17.3%. It leaks user credentials saved in web browsers, emails, and FTP clients.”
  • [T1041] Exfiltration Over C2 Channel – Uses SMTP (and sometimes FTP or Discord API) to leak collected information. “Although it uses emails (a.k.a. SMTP protocol) to leak collected information, there are samples that used FTP or Discord API.”
  • [T1036] Masquerading – Files disguised as legitimate documents (e.g., Invoice_pdf.exe, INVOICE_.EXE) to deceive victims. “the file names contain such words shown above … and being disguised as files with extensions of pdf and xlsx.”
  • [T1189] Drive-by Compromise – Malware distributed via exploit kits (SmokeLoader). “SmokeLoader is distributed via exploit kits.” “
  • [T1055] Process Injection – SmokeLoader injects into explorer.exe to execute payloads. “it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe.”
  • [T1105] Ingress Tool Transfer – Many families download additional modules or malware after connecting to C2 (e.g., SmokeLoader, BeamWinHTTP, Amadey, RedLine). “After connecting to the C&C server, it can either download additional modules or other malware strains.”
  • [T1071.001] Web Protocols – C2 communications via a range of URLs/domains listed as confirmed C2 endpoints (BeamWinHTTP, RedLine, Amadey). “The confirmed C&C server URLs are as follows.”

Indicators of Compromise

  • [Domain] mail.strictfacilityservices[.]com – AgentTesla SMTP server
  • [Domain] host39.registrar-servers[.]com – AgentTesla SMTP server
  • [Domain] smtp.yandex[.]com – AgentTesla SMTP server
  • [Email] [email protected]; [email protected]; [email protected]; [email protected] – credential leakage details
  • [Password] SFS****21; *r4}********87G; uomw********xboa – leaked credentials
  • [File name] TNT Invoice_pdf.exe; Quote_2200001679.exe; Updated Qutotaion Of Accesories____PDF.exe; Payment#0011422320_SWIFT_20222909.exe; INVOICE_.EXE – sample lures
  • [URL] hxxp://208.67.104[.]60/api/firegate.php; hxxp://208.67.104[.]60/api/tracemap.php; hxxp://kokoko-24[.]online/api/tracemap.php; hxxp://megalobster[.]ru/api/tracemap.php – BeamWinHTTP/C2 endpoints
  • [Domain] host-host-file8[.]com; host-file-host6[.]com; cracker[.]biz; freeshmex[.]at; piratia[.]su; piratia-life[.]ru; wildweep[.]com; o339ku32b3yk26[.]com; o36fafs3sn6xou[.]com; o391tckjywmtj0[.]com – SmokeLoader C2 domains
  • [IP] 185.215.113[.]216:21921; 94.103.183[.]33:80; 80.66.87[.]11:80; 79.137.204[.]112:80; 160.20.109[.]26:27713; 77.73.134[.]24:80; 45.138.74[.]121:80; 185.219.80[.]6:35361; 20.126.112[.]157:16733 – RedLine C2 endpoints
  • [IP] 185.…” (additional RedLine IPs)

Read more: https://asec.ahnlab.com/en/43255/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint