Downloader ranked top with 38.2%, followed by info-stealer with 35.1%, ransomware with 14.7%, backdoor with 11.6%, and CoinMiner with 0.4% for the week of September 26th to October 2nd, 2022. Top families included BeamWinHTTP, Smokeloader, Stop Ransomware, Vidar, and Agent Tesla, with multiple C2 domains and URLs noted.
Keypoints
- Main category distribution: downloader 38.2%, info-stealer 35.1%, ransomware 14.7%, backdoor 11.6%, CoinMiner 0.4%.
- Top family BeamWinHTTP (downloader) accounted for 16.7% and was distributed via a PUP installer, installing Garbage Cleaner while downloading more malware.
- BeamWinHTTP C2 data includes 95.214.24[.]96, 208.67.104[.]97, gcl-gb[.]biz, artislife[.]top, and forwardstorage[.]biz.
- Second place Smokeloader is an infostealer/downloader distributed via exploit kits and has MalPe; it injects into explorer.exe and downloads modules after contacting C2.
- Smokeloader C2 URLs include host-file-host6[.]com, host-file-host8[.]com, furubujjul[.]net, starvestitibo[.]org, and others.
- Stop Ransomware ranks third and is distributed mainly via exploit kits; it encrypts files in user PCs and uses various C2 URLs.
- Vidar ranks fourth as an infostealer/downloader delivered by spam emails to Korean users and capable of downloading additional malware; C2 URLs include multiple 94.131.* and 45.* addresses.
- Agent Tesla ranks fifth as an infostealer leaking credentials saved in browsers, emails, and FTP clients, with sample C2 data showing email-based exfiltration and FTP/Discord usage.
MITRE Techniques
- [T1036] Masquerading – BeamWinHTTP distributed via malware disguised as PUP installer. “BeamWinHTTP is distributed via malware disguised as PUP installer.”
- [T1105] Ingress Tool Transfer – BeamWinHTTP downloads and installs additional malware at the same time. “When it is executed, it installs PUP malware Garbage Cleaner while downloading and installing additional malware at the same time.”
- [T1055.001] Process Injection – Smokeloader injects itself into explorer.exe; “the actual malicious behavior is executed by explorer.exe.”
- [T1203] Exploitation for Client Execution – Stop Ransomware distributed mainly using exploit kits. “It is malware that is distributed mainly using exploit kit.”
- [T1486] Data Encrypted for Impact – Stop Ransomware encrypts certain files on user PCs. “This malware encrypts certain files in user PCs.”
- [T1566.001] Phishing: Attachment – Vidar delivered via spam emails to Korean users; “installed through spam emails that are sent periodically to Korean users, and its characteristic is that it exists with other ransomware within the compressed file attached to the spam mail.”
- [T1555.003] Credentials in Web Browsers – Agent Tesla leaks credentials saved in web browsers, emails, and FTP clients. “leaks user credentials saved in web browsers, emails, and FTP clients.”
Indicators of Compromise
- [IP] 95.214.24[.]96, 208.67.104[.]97 – BeamWinHTTP C2 addresses.
- [IP] 192.254.211[.]36, 139.99.142[.]16, 144.76.236[.]210 – Agent Tesla sample infrastructure (example servers).
- [Domain] gcl-gb[.]biz; artislife[.]top; forwardstorage[.]biz – BeamWinHTTP/Smokeloader related domains.
- [Domain] host-file-host6[.]com; host-file-host8[.]com; furubujjul[.]net; starvestitibo[.]org; liubertiyyyul[.]net; bururutu44org[.]org; nvulukuluir[.]net; gulutina49org[.]org; hulimudulinu[.]net; stalnnuytyt[.]org; nuluitnulo[.]me – Smokeloader C2 domains.
- [Domain] rgyui[.]top; winnlinne[.]com; wfsdragon[.]ru; gcl-gb[.]biz/stats/1.php; gcl-gb[.]biz/stats/save.php – Stop Ransomware C2 URLs.
- [Domain] mail.tricomcomputacion[.]com; mail.thesharpening[.]com[.]au; mail.rylanlogisticsltd[.]com – Agent Tesla sample C2/mail exfiltration domains.
- [File] EventSourceAttrib.exe; DHL SHIPMENT NOTIFICATION.exe; New Order 099923512489_pdf.exe; PO 20220608.exe; DEPOSIT SLIP.exe – Agent Tesla/loaded payload filenames observed in spam-disguised documents.
Read more: https://asec.ahnlab.com/en/39627/