Threat Research

ASEC Weekly Malware Statistics (March 27th, 2023 – April 2nd, 2023) – ASEC BLOG

Securonix

ASEC’s weekly malware statistics for March 27–April 2, 2023 show backdoors dominate at 54.9%, followed by downloaders (22.9%) and infostealers (20.6%), with ransomware and coin miners making up smaller shares. The top families were RedLine, Amadey, AgentTesla, Guloader, and Formbook, with spam and software-crack lures driving their distribution and C2 infrastructure disclosed.

#RedLine #Amadey #AgentTesla #Guloader #Formbook #LockBit #SmokeLoader

Keypoints

  • The main category by detection is backdoor at 54.9%, followed by downloader (22.9%) and Infostealer (20.6%), with ransomware at 1.3% and CoinMiner at 0.3%.
  • Top family RedLine leads the week with 47.4% and is described as stealing browser, FTP wallet data and more, with ability to download additional malware via C2.
  • Amadey Bot ranks second at 12.2%, a downloader that can receive attacker commands to download more malware and can collect credentials when info-stealers are used.
  • AgentTesla ranks third at 11.5%, an InfoStealer that leaks credentials from web browsers, emails, and FTP clients, often distributed via spam pretending to be invoices.
  • Guloader (GuLoader) ranks fourth at 6.0%, a downloader that executes downloaded payloads in memory, often via NSIS-like installers and encoded data to bypass detection.
  • Formbook ranks fifth at 4.2%, an InfoStealer distributed mainly through spam, capable of keylogging, clipboard grabbing, and web form data capture, with multiple C2 domains listed.

MITRE Techniques

  • [T1566] Phishing – Spam emails with malicious documents used to deliver malware. “Most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders.”
  • [T1105] Ingress Tool Transfer – Amadey downloads additional malware on command. “Amadey is a downloader that can receive commands from the attacker to download additional malware.”
  • [T1071.001] Web Protocols – RedLine communicates with its C2 over HTTP/HTTPS domains. “The following are the confirmed C&C server domains for RedLine: 193.233.20[.]32:4125/ …”
  • [T1555.003] Credentials in Web Browsers – AgentTesla leaks credentials saved in browsers, emails, and FTP clients. “It leaks user credentials saved in web browsers, emails, and FTP clients.”
  • [T1056.001] Keylogging – Formbook performs keylogging to capture user input. “keylogging, clipboard grabbing, and web browser form grabbing.”
  • [T1115] Clipboard Data – Formbook steals clipboard contents. “clipboard grabbing”
  • [T1056.003] Web Form Grabbing – Formbook captures data entered into web forms. “web browser form grabbing”
  • [T1027] Obfuscated/Compressed Files and Information – GuLoader data is encoded and decoded in memory to avoid detection. “the downloaded file is encoded, not PE. It is then executed after being decoded in the memory.”

Indicators of Compromise

  • [IP address] C2 servers and delivery endpoints – 193.233.20.32:4125, 212.113.116.143:29996, 51.210.161.21:36108, 176.113.115.145:4125
  • [Domain/URL] RedLine C2 domain – koreamonitoring[.]com:80
  • [URL] Amadey C2 endpoints – hxxp://77.73.134[.]27/8bmdh3Slb2/index.php, hxxp://62.204.41[.]87/joomla/index.php, hxxp://193.233.20[.]36/joomla/index.php, hxxp://31.41.244[.]200/games/category/index.php
  • [Domain/URL] AgentTesla delivery and C2 – ftp server: www.213221321[.]com; SMTP servers: mail.dmstech.in, mail.mdist.us, mail.mercamaq.com.br
  • [Domain/URL] Formbook C2 endpoints – copebees[.]online/h6qh/, nasvour[.]top/0ons/, anrovlp[.]xyz/n13e/, mtevz[.]online/ar73/, pitmarpay[.]xyz/essu/
  • [File name] Disguised attachment names observed – UPDATED_LIST.exe, swift.exe, PO-1060688.exe, REMITTANCE TT COPY $23.exe

Read more: https://asec.ahnlab.com/en/50952/