Threat Research

ASEC Weekly Malware Statistics (January 23rd, 2023 – January 29th, 2023) – ASEC BLOG

Securonix

ASEC’s weekly malware statistics for January 23–29, 2023 categorize threats by family, with downloader as the largest share, followed by Infostealer and backdoor. The report highlights BeamWinHTTP as the top downloader, with SmokeLoader, Formbook, AgentTesla, and SnakeKeylogger as leading players, including their C2 URLs and distribution methods. #BeamWinHTTP #SmokeLoader

Keypoints

  • Downloader ranked first overall (44.2%), Infostealer second (34.3%), backdoor third (18.5%), ransomware (2.6%), and CoinMiner (0.4%).
  • Top1 BeamWinHTTP: a downloader malware (24.0%) distributed as a PUP installer that can download and install additional malware.
  • BeamWinHTTP C&C URLs confirmed: hxxp://45.12.253[.]56/advertisting/plus.php and hxxp://45.12.253[.]51/publisher.php (plus related domains/IPs in the campaign).
  • Top2 SmokeLoader: Infostealer/downloader distributed via exploit kits; injects into explorer.exe to execute malicious code and download modules.
  • SmokeLoader C&C URLs include multiple domains such as hxxp://conceitosseg[.]com/upload/ and hxxp://integrasidata[.]com/upload/.
  • Top3 Formbook: Infostealer spread mainly via spam emails with deceptive filenames; can steal credentials via keylogging, clipboard grabbing, and web form grabbing.
  • Formbook C&C URLs include several domains like hxxp://www.notbokin[.]online/he2a/ and hxxp://www.chopchity[.]site/j892/.
  • Top4 AgentTesla: Infostealer leaking web browser, email, and FTP credentials; uses SMTP-based exfiltration with visible server/users/receivers.
  • Top5 SnakeKeylogger: Infostealer leaking keystrokes, clipboard, and browser account data; uses SMTP/Telegram/Discord channels for exfiltration.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The malware can download and install additional malware after connecting to C2. “When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time.”
  • [T1036] Masquerading – BeamWinHTTP is distributed via malware disguised as a PUP installer.
  • [T1071.001] Web Protocols – C2 communications use HTTP-based URLs (C&C server URLs are provided).
  • [T1055] Process Injection – SmokeLoader injects into explorer.exe; actual malicious behavior is executed by explorer.exe.
  • [T1056.001] Keylogging – Formbook/SnakeKeylogger can capture keystrokes as part of credential theft.
  • [T1056.003] Web Form Grabbing – Formbook and similar Infostealers grab data from web forms in browsers.
  • [T1003] Credential Dumping – AgentTesla leaks credentials saved in browsers, emails, and FTP clients.
  • [T1566.001] Phishing: Spearphishing Attachment – Distribution via spam emails disguised as invoices/shipment documents/P.O. files.

Indicators of Compromise

  • [URL] BeamWinHTTP C2 – hxxp://45.12.253[.]56/advertisting/plus.php, hxxp://45.12.253[.]51/publisher.php
  • [Domain] SmokeLoader C2 – hxxp://conceitosseg[.]com/upload/, hxxp://integrasidata[.]com/upload/
  • [URL] Formbook C2 – hxxp://www.notbokin[.]online/he2a/, hxxp://www.chopchity[.]site/j892/
  • [Domain] Formbook additional C2 – hxxp://www.koyesses[.]site/k4xe/, hxxp://www.nbemt[.]xyz/sr23/
  • [IP] BeamWinHTTP C2 IPs – 45.12.253[.]56, 45.12.253[.]51
  • [Domain] SnakeKeylogger C2/Exfil – mail.raouf-hotels[.]com, mail.dr2marking[.]com
  • [Email] AgentTesla recipients – [email protected], [email protected]
  • [Email] SnakeKeylogger recipients – [email protected], webmaster@rodeojunior[.]com
  • [File] Sample filenames (Formbook/SnakeKeylogger) – Enquiry 40320581017.exe, 2023 Swift MT03pdf 00003747727369.exe

Read more: https://asec.ahnlab.com/en/47011/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint