ASEC’s RAPIT analysis summarizes malware weekly stats from January 30 to February 5, 2023, highlighting downloader as the top category, followed by Infostealer and backdoor. The leading families were SmokeLoader, BeamWinHTTP, Formbook, Quasar RAT, and RedLine, each with distinct distribution methods and C2 infrastructure.
Keypoints
- Weekly stats (Jan 30–Feb 5, 2023) show main categories: downloader 39.3%, Infostealer 28.8%, backdoor 27.0%, ransomware 2.6%, CoinMiner 2.2%.
- Top family SmokeLoader ranked 1st with 19.9%; distributed via exploit kits and has a MalPe form; injects into explorer.exe and downloads modules after C&C connection.
- Top family BeamWinHTTP ranked 2nd with 18.0%; downloader disguised as a PUP installer; installs Garbage Cleaner and downloads additional malware.
- Top family Formbook ranked 3rd with 14.6%; distributed via spam emails; injects into explorer.exe/system32 and steals credentials, keylogs, clipboard, and web form data.
- Top family Quasar RAT ranked 4th with 10.9%; open-source .NET RAT used broadly; features remote command execution, remote desktop, and credential collection.
- Top family RedLine ranked 5th with 5.6%; InfoStealer; commonly distributed as software cracks and steals browser/wallet data while supporting C2-based updates.
- Multiple C2 URLs and distribution tactics are documented for each family, illustrating diverse attacker infrastructure.
MITRE Techniques
- [T1055] Process Injection – SmokeLoader injects itself into explorer.exe; “When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe.”
- [T1105] Ingress Tool Transfer – SmokeLoader can download additional modules or other malware strains after connecting to the C&C server; “After connecting to the C&C server, it can download additional modules or other malware strains.”
- [T1105] Ingress Tool Transfer – BeamWinHTTP can download and install additional malware at the same time; “The malware is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time.”
- [T1036] Masquerading – Formbook and other loaders are distributed masquerading as legitimate software (e.g., “disguised as a cracked version of a normal program”).
- [T1056.001] Keylogging – Formbook and Quasar RAT capture keystrokes to steal credentials and sensitive data; “the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.”
- [T1056.003] Input Capture – Formbook engages in web browser form grabbing as part of its data theft.
- [T1555.003] Credentials in Web Browsers – Formbook/Quasar RAT collect browser credentials as part of data theft; “account credentials-collecting feature.”
- [T1021.001] Remote Desktop – Quasar RAT provides remote control capabilities including remote desktop access.
- [T1071.001] Web Protocols – Quasar RAT and other families communicate with C2 over web protocols; documented as C2 URLs/servers.
- [T1105] Ingress Tool Transfer – RedLine can download additional malware by receiving commands from the C&C server; “It can also download additional malware by receiving commands from the C&C server.”
Indicators of Compromise
- [Domain] C2 domains used by SmokeLoader – potunulit.org, hutnilior.net, and 26 more domains
- [URL] BeamWinHTTP C2 endpoints – 45.12.253.51/publisher.php, 45.12.253.56/advertisting/plus.php
- [URL] Formbook C2 URLs – hxxp://www.auskunfton[.]com/u8ow/, hxxp://www.bnhkit[.]xyz/d0a7/
- [IP/URL] Quasar RAT C2 endpoints – 23.216.147.64:443, 35.222.163.119:3741, 79.119.149.174:4782, 80.209.225.244:4420, fat-tx.at.ply[.]gg:14136
- [Domain/IP] RedLine C2 endpoints – 45.15.156[.]194:36152, 176.113.115[.]16:4122, 193.56.146[.]78:51487, 62.204.41[.]170:4132, 51.210.137[.]6:47909
- [File] Formbook sample filenames – HSBC Account Statement 03FEB2023_pdf.exe, Invoice.exe
- [File] Formbook sample filename – 19.01.23_jpg.exe
- [File] Quasar RAT distribution filenames – c0cain_lite.EXE, OpenBullet V 2.3.1.exe
Read more: https://asec.ahnlab.com/en/47330/