Threat Research

ASEC Weekly Malware Statistics (March 13th, 2023 – March 19th, 2023) – ASEC BLOG

Securonix

Keypoints

  • Infostealer was the top category at 43.8%, followed by Backdoor at 34.5% and Downloader at 18.7% for the week.
  • Top malware by prevalence: RedLine (23.4%), AgentTesla (20.9%), Formbook (9.4%), Smokeloader (7.7%), and GuLoader (6.0%).
  • RedLine steals information from web browsers, FTP clients, cryptocurrency wallets, and PC settings and can download more malware from its C2 server; many RedLine samples are disguised as software cracks.
  • AgentTesla leaks credentials from web browsers, emails, and FTP clients and uses SMTP and Telegram as C2 channels; distribution is largely via spam invoices and purchase orders.
  • Formbook is injected into legitimate processes (e.g., explorer.exe) and collects browser credentials, key logs, clipboard data, and web form content; its C2 URLs are frequently hosted on various domains.
  • Smokeloader is an Infostealer/downloader distributed via exploit kits, injects into explorer.exe, and can download additional modules or malware; Dharma and LockBit have been noted as other payloads via its C2.
  • GuLoader downloads in memory (memory-resident, encoded) to avoid detection, decodes in memory, and distributes Infostealers (Formbook/AgentTesla) and RATs (Remcos/NanoCore); many samples use deceptive file names and extensions.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing attachments used to deliver malware. (‘Most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders’)
  • [T1105] Ingress Tool Transfer – The malware can download additional payloads by receiving commands from the C&C server. (‘It can also download additional malware by receiving commands from the C&C server.’)
  • [T1056.003] Web Form Grabbing – Formbook can steal information via web browser form grabbing. (‘the malware can steal various information through keylogging, clipboard grabbing, and web browser form grabbing’)
  • [T1056.001] Keylogging – Formbook performs keylogging to capture user input. (‘keylogging’)
  • [T1115] Clipboard Data – Formbook grabs clipboard contents. (‘clipboard grabbing’)
  • [T1055] Process Injection – Formbook is injected into normal processes (e.g., explorer.exe) to hide its operation. (‘Formbook is injected into normal processes (one is a running explorer.exe and the other is in system32)’)
  • [T1555.003] Credentials in Web Browsers – AgentTesla leaks credentials saved in web browsers. (‘leaks user credentials saved in web browsers, emails, and FTP clients’)
  • [T1071.003] Application Layer Protocol: Mail – AgentTesla uses SMTP to exfiltrate data. (‘SMTP Server : us2.smtp.mailhostbox[.]com…’)
  • [T1071.001] Application Layer Protocol: Web Protocols – AgentTesla also uses Telegram API as a C2 channel. (‘Telegram : hxxps://api.telegram[.]org/bot…’)
  • [T1203] Exploitation for Client Execution – Smokeloader is distributed via exploit kits. (‘SmokeLoader is an Infostealer/downloader malware that is distributed via exploit kits.’)
  • [T1027] Obfuscated/Deobfuscated Files or Information – GuLoader is downloaded in memory, encoded, and decoded before execution. (‘downloaded on memory to avoid detection, and encoded, not PE. It is then executed after being decoded in the memory’)
  • [T1036] Masquerading – Samples disguise file names and extensions (e.g., invoices, PDFs, or CAD files) to sneak into systems. (‘the file names contain such words shown above… Some samples have extensions disguised as document files such as pdf and xlsx or Auto CAD blueprint files such as dwg’)

Indicators of Compromise

  • [Domain] fronxtracking[.]com – example domain used by RedLine C2
  • [IP] 193.233.20[.]28 – 4125 port C2 endpoint
  • [IP] 176.113.115[.]24 – 37118 port C2 endpoint
  • [IP] 82.115.223[.]46 – 57672 port C2 endpoint
  • [IP] 91.193.43[.]63 – 81 port C2 endpoint
  • [Domain] www.bameit[.]xyz – Formbook C2 URL
  • [Domain] www.bleclear[.]xyz – Formbook C2 URL
  • [Domain] www.cdhptor[.]xyz – Formbook C2 URL
  • [Domain] www.choicymart[.]info – Formbook C2 URL
  • [Domain] www.deglaz[.]xyz – Formbook C2 URL
  • [Domain] www.forgrat[.]xyz – Formbook C2 URL
  • [Domain] www.frykuv[.]xyz – Formbook C2 URL
  • [Domain] www.ftgam[.]xyz – Formbook C2 URL
  • [Domain] www.gorwly[.]top – Formbook C2 URL
  • [Domain] www.mexob[.]online – Formbook C2 URL
  • [Domain] drive.google[.]com/uc?export=download&id=1JLoWY_UwPQZqnfU-aXcbmQQGdybQA7bC – GuLoader source link
  • [Domain] drive.google[.]com/uc?export=download&id=1ZXCL8GB-g88ZrE5yZcpsNCrMMx7dcNFt
  • [Domain] drive.google[.]com/uc?export=download&id=11CbFsftqr1Xo5pMnQ0yXoU3AOXjN6D9g
  • [Domain] drive.google[.]com/uc?export=download&id=1Fkuz6htSSF-OnZWIprqGOtyyuwm-5HbL
  • [Domain] drive.google[.]com/uc?export=download&id=1vmOa0igmO0NqRm3gFyOGIeifLGX9oQN4
  • [Domain] drive.google[.]com/uc?export=download&id=17NzUaSj4s1XuTTewrLRdGOZr0b0foGCO
  • [Domain] drive.google[.]com/uc?export=download&id=1knb_1yCJra3TXaDYwwOwGC_CmdAclfH-
  • [Domain] drive.google[.]com/uc?export=download&id=1WOHTf_-ZMbqLEd4azi7ABOVT3Sc31Qwf
  • [Domain] www.superwatercleanhealthy[.]com/ReAlN124.bin – GuLoader download indicator
  • [IP] 5.255.110[.]224 – sample download source

Read more: https://asec.ahnlab.com/en/50173/