ASEC Weekly Malware Statistics (June 5th, 2023 – June 11th, 2023) – ASEC BLOG

MITRE Techniques

• [T1105] Ingress Tool Transfer – Amadey downloader receives commands from the attacker to download additional malware. ‘Amadey is a downloader that can receive commands from the attacker to download additional malware’
• [T1566.001] Phishing: Spearphishing Attachment – Most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders. ‘Most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order)’
• [T1071.001] Command and Control: Web Protocols – The malware uses C2 URLs such as those listed; ‘The confirmed C&C server URLs are as follows.’
• [T1555.003] Credentials in Web Browsers – AgentTesla leaks user credentials saved in web browsers, emails, and FTP clients. ‘It leaks user credentials saved in web browsers, emails, and FTP clients.’
• [T1041] Exfiltration Over C2 Channel – AgentTesla exfiltrates data through SMTP servers and other channels like Discord Webhooks and Telegram API. ‘The C&C information of recently collected samples is as follows.’
• [T1027] Obfuscated/Compressed Files and Information – GuLoader is downloaded in memory, encoded, not PE. ‘downloaded on memory to avoid detection, and the downloaded file is encoded, not PE’
• [T1055] Process Injection – Formbook is injected into normal processes (e.g., explorer.exe, system32). ‘As Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32)’
• [T1071.001] Command and Control: Web Protocols – Lokibot C2 URLs tend to end in fre.php. ‘most Lokibot C&C server URLs tend to end in fre.php.’
• [T1056.001] Keylogging – Formbook captures keystrokes and related data (in addition to clipboard and form grabbing). ‘the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing.’