Threat Research

ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023) – ASEC BLOG

Securonix

ASEC analyzed weekly malware statistics for Jan 9–15, 2023 using RAPIT, highlighting downloader as the top category followed by Infostealer. The report details the leading families SmokeLoader, BeamWinHTTP, Formbook, AgentTesla, and Lokibot and their C2 infrastructure. #SmokeLoader #BeamWinHTTP #Formbook #AgentTesla #Lokibot

Keypoints

  • Downloader is the top main category at 38.4%, followed by Infostealer at 37.0%, backdoor at 18.2%, ransomware at 4.0%, and CoinMiner at 1.5%.
  • Top malware family SmokeLoader ranked first (17.7%), distributed via exploit kits and featuring MalPe form.
  • BeamWinHTTP ranked second (14.1%), distributed as a PUP installer that can download and install additional malware.
  • Formbook ranked third (13.6%), primarily spread by spam emails with credential-stealing capabilities.
  • AgentTesla ranked fourth (11.1%), leaking credentials via email (SMTP) and other channels; uses multiple C&C configurations.
  • Lokibot ranked fifth (9.1%), an Infostealer that exfiltrates information about browsers, email clients, and FTP clients.

MITRE Techniques

  • [T1055] Process Injection – Injects itself into explorer.exe; the actual malicious behavior is executed by explorer.exe. Quote: ‘When executed, it injects itself into explorer.exe, and the actual malicious behavior is executed by explorer.exe.’
  • [T1105] Ingress Tool Transfer – After connecting to the C&C server, it can download additional modules or other malware strains. Quote: ‘After connecting to the C&C server, it can download additional modules or other malware strains.’
  • [T1105] Ingress Tool Transfer – BeamWinHTTP: When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time. Quote: ‘When it is executed, it installs PUP malware Garbage Cleaner and can download and install additional malware at the same time.’
  • [T1056.001] Keylogging – Formbook can steal various information through keylogging. Quote: ‘the malware can steal various information through keylogging.’
  • [T1115] Clipboard Data – Formbook performs clipboard grabbing. Quote: ‘clipboard grabbing’
  • [T1056.003] Web Form Grabbing – Formbook performs web browser form grabbing. Quote: ‘web browser form grabbing’
  • [T1555.003] Credentials in Web Browsers – Formbook targets user credentials in web browsers. Quote: ‘user credentials in the web browser’
  • [T1071.003] Application Layer Protocol: Email – AgentTesla leaks credentials via SMTP (email) channels. Quote: ‘SMTP Server : us2.smtp.mailhostbox[.]com’ (and related details).
  • [T1071.003] Application Layer Protocol: Email – AgentTesla uses SMTP to leak collected information. Quote: ‘SMTP Server : us2.smtp.mailhostbox[.]com’
  • [T1071.001] Web Protocols – Lokibot C2 servers listed to communicate over web protocols. Quote: ‘The following is a list of the most C&C servers for the malware.’

Indicators of Compromise

  • [URL] C2 / Command and Control endpoints – vatra[.]at/tmp/, spbdg[.]ru/tmp/, skinndia[.]com/tmp/ (and 2 more URLs)
  • [IP] C2 endpoints – 208.67.105[.]148/fresh2/five/fre.php, 171.22.30[.]147/kelly/five/fre.php (and 2 more)
  • [URL] Formbook C2 URLs – www.baskmarketing[.]online/bd6z/, www.ciexol[.]xyz/ci07/ (and 3 more)
  • [URL] Lokibot C2 servers – 208.67.105[.]148/fresh2/five/fre.php, shopper.bulutlogistic[.]com/fre.php (and 2 more)
  • [File name] Sample filenames used by campaigns – BL-SHIPPING DOCUMENTS.exe, CONTRACT DOCUMENT.exe (and 2 more)

Read more: https://asec.ahnlab.com/en/46169/