Infostealer was the leading malware category in the Jan 16–22, 2023 period, accounting for 43.0% of samples, followed by downloader (30.06%) and backdoor (19.9%). The report highlights BeamWinHTTP, AgentTesla, Formbook, SmokeLoader, and Pony as top families, with details on distribution, C2 servers, and capabilities.
Keypoints
- Infostealer dominated the week with 43.0% of samples, followed by downloader 30.06% and backdoor 19.9%.
- BeamWinHTTP ranked Top 1 as a downloader disguised as a PUP installer that can install Garbage Cleaner and fetch additional malware.
- AgentTesla ranked Top 2, exfiltrating credentials via email, FTP, or Telegram, using SMTP to leak data to designated receivers.
- Formbook ranked Top 3, using keylogging, clipboard/web form grabbing, and process injection to steal data and inject into explorer.exe/system32.
- SmokeLoader ranked Top 4, delivered via exploit kits, injecting into explorer.exe and downloading additional modules with Infostealer features.
- Pony tied for Top 4, another Infostealer that leaks credentials across browsers, FTP, emails, and Bitcoin wallets, with listed C2 URLs.
- Spam-based distribution (invoices/shipment/PO documents) dominated as the delivery method, with multiple sample filenames like Invoice-related PDFs and EXEs.
MITRE Techniques
- [T1036] Masquerading – The malware is distributed via malware disguised as PUP installer. “The malware is distributed via malware disguised as PUP installer.”
- [T1105] Ingress Tool Transfer – BeamWinHTTP can download and install additional malware at the same time. “can download and install additional malware at the same time.”
- [T1056] Input Capture – Formbook can perform keylogging to steal user input. “the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.”
- [T1056.003] Web Forms – Formbook steals data from web browser forms. “web browser form grabbing.”
- [T1055] Process Injection – Formbook is injected into explorer.exe and system32 to perform actions. “Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32).”
- [T1071.001] Web Protocols – C2 communication with the listed servers and URLs. “The confirmed C&C server URLs are as follows.”
- [T1105] Ingress Tool Transfer – SmokeLoader downloads modules after connecting to C2. “can download additional modules or other malware strains.”
- [T1071.001] Web Protocols – SmokeLoader uses HTTP(S) based C2 URLs. “The confirmed C&C server URLs are as follows.”
- [T1566.001] Phishing: Spearphishing Attachment – Spam emails disguised as invoices/POs deliver the payloads. “most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders.”
- [T1071.001] Web Protocols – Pony uses C2 URLs for data exfiltration/command and control. “The confirmed C&C server URLs of Pony are as follows.”
Indicators of Compromise
- [URL] C2 URLs – hxxp://45.139.105[.]171/itsnotmalware/count.php?sub=/mixtwo&stream=mixtwo&substream=mixkis, hxxp://45.12.253[.]56/advertisting/plus.php?s=/mixtwo&str=mixtwo&substr=mixinte
- [URL] C2 URLs – hxxp://wfsdragon[.]ru/api/setStats.php, hxxp://37.0.11[.]41/base/api/getData.php
- [URL] C2 URLs – hxxp://45.12.253[.]51/publisher.php?subid=NOSUB, hxxp://208.67.104[.]97/powfhxhxcjzx/ping.php?sub=NOSUB&stream=mixone&substream=mixtwo
- [URL] Formbook C2 URLs – hxxp://www.loudesios[.]com/fswe/, hxxp://www.wordybag[.]online/nes8/
- [URL] Formbook C2 URLs – hxxp://www.paupocket[.]online/umcs/, hxxp://www.haremp[.]xyz/tc10/
- [Domain] C2 Domains – wfsdragon[.]ru, channelpi[.]com, mightys[.]at, mupsin[.]ru
- [Email] Exfiltration targets – info@expostore[.]pk, mylogs456@gmail[.]com, jinhux31@gmail[.]com, maggie.hualingan@gmail[.]com
- [Email] Exfiltration targets – and 2 more emails listed in the article (SMTP credentials revealed)
- [FileName] Distribution Samples – SwiftReport_00001801202301432.exe, EURO 642k Ref20230116_pdf.exe, INV 001.exe, PAGO TT (Ref 0180066743).exe, Payment copy.exe, doc.exe, SWIFT COPY US$ 291.650, file2.exe
- [FileName] C2/Exfil filenames – Formbook sample file names used in campaigns
Read more: https://asec.ahnlab.com/en/46464/