FOCUS MODE
EXTRACT IOC
Threat Research

ASEC Weekly Malware Statistics (September 26th, 2022 – October 2nd, 2022) – ASEC BLOG

Securonix

The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from September 26th, 2022 (Monday) to October 2nd, 2022 (Sunday).

For the main category, downloader ranked top with 38.2%, followed by info-stealer with 35.1%, ransomware with 14.7%, backdoor with 11.6%, and CoinMiner with 0.4%.

Top 1 –  BeamWinHTTP

BeamWinHTTP is a downloader malware that ranked top with 16.7%. BeamWinHTTP is distributed via malware disguised as PUP installer. When it is executed, it installs PUP malware Garbage Cleaner while downloading and installing additional malware at the same time.

The confirmed C&C server URL is as follows.

  • 95.214.24[.]96
  • 208.67.104[.]97
  • gcl-gb[.]biz
  • artislife[.]top
  • forwardstorage[.]biz

Top 2 – Smokeloader

Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked second place with 15.1%. Like other malware that is distributed via exploit kits, this malware also has MalPe form. 

When executed, it injects itself to explorer.exe, and the actual malicious behavior is executed by explorer.exe. After connecting to C&C server, it can either download additional module, or download another malware. Additionally downloaded malware usually has a feature of infostealer, and explorer.exe (child process) is created and injects module to operate.

Smoke Loader is an info-stealer / downloader malware that ranked fifth place with 6.6%. For an analysis report related to Smoke Loader, refer to the ASEC Report below.

[PDF] ASEC REPORT vol.101_Smoke Loader Learns New Tricks

The confirmed C&C server URLs are as follows.

  • host-file-host6[.]com
  • host-file-host8[.]com
  • furubujjul[.]net
  • starvestitibo[.]org
  • liubertiyyyul[.]net
  • bururutu44org[.]org
  • nvulukuluir[.]net
  • gulutina49org[.]org
  • hulimudulinu[.]net
  • stalnnuytyt[.]org
  • nuluitnulo[.]me

Another malware can be downloaded from outside by using C&C server, and currently confirmed malware strains are Dharma and Lockbit ransomware.

Top 3 – Stop Ransomware

Stop ransomware ranked third place with 14.3%. It is malware that is distributed mainly using exploit kit. This malware encrypts certain files in user PCs. It has been distributed in various forms since the past. The recently distributed samples perform ransomware behavior by installing Vidar, which is an infostealer.

The following is the C&C server URLs of Stop ransomware.

  • hxxp://rgyui[.]top/dl/build2.exe
  • hxxp://winnlinne[.]com/test3/get.php
  • hxxp://winnlinne[.]com/files/1/build3.exe
  • hxxp://wfsdragon[.]ru/api/setStats.php
  • hxxp://136.144.41[.]201/server.txt
  • hxxp://136.144.41[.]152/base/api/getData.php
  • hxxp://uyg5wye.2ihsfa[.]com/api/fbtime
  • hxxp://45.133.1[.]107/server.txt
  • hxxp://gcl-gb[.]biz/stats/1.php
  • hxxp://gcl-gb[.]biz/check.php
  • hxxp://gcl-gb[.]biz/stats/save.php
  • hxxp://t.gogamec[.]com
  • hxxp://49.12.226[.]201/base/api/getData.php

Top 4 –  Vidar

Vidar was ranked fourth placed with 13.1%. It is an infostealer / downloader malware. Vidar not only has features such as web browser, FTP, cryptocurrency wallet address, screenshot, but also has a feature that can download additional malware.

As shown in the blogs below, Vidar is installed through spam emails that are sent periodically to Korean users, and its characteristic is that it exists with other ransomware within the compressed file attached to the spam mail.

Recently, certain game platforms are being abused to spread ransomware.

The following provides an analysis on Vidar’s info-leaking feature.

C&C URLs that were used during the period are as follows.

  • hxxp://94.131.97[.]136/1281
  • hxxp://94.131.96[.]16/1281
  • hxxp://94.131.97[.]143/1281
  • hxxp://94.131.97[.]153/1191
  • hxxp://45.142.213[.]7/1281
  • hxxp://45.89.55[.]176/1281
  • hxxp://94.131.97[.]119/1281
  • hxxp://88.198.89[.]6/1695

Top 5 –  Agent Tesla

AgentTesla is an infostealer that ranked fifth place with 11.6%. It is an info-stealer that leaks user credentials saved in web browsers, emails, and FTP clients.

It uses e-mail to leak collected information, and there are samples that used FTP or Discord API. C&C information of recently collected samples is as follows.

  • server : mail.tricomcomputacion[.]com (192.254.211[.]36)
    sender : danielventas@tricomcomputacion[.]com
    receiver : dorotaannagrebowiec01@gmail[.]com
    user : danielventas@tricomcomputacion[.]com
    pw : DANI****168
  • server : mail.thesharpening.com[.]au (139.99.142[.]16)
    sender : [email protected][.]au
    receiver : [email protected][.]au
    user : [email protected][.]au
    pw : Sa****{#_
  • server : mail.rylanlogisticsltd[.]com (144.76.236[.]210)
    sender : mary@rylanlogisticsltd[.]com
    receiver : ranjqnupreti3@gmail[.]com
    user : mary@rylanlogisticsltd[.]com
    pw : M@***!*

As most are distributed through spam emails disguised as invoices, shipment documents, and purchase orders, the file names contain such words shown above (Invoice, Shipment, and P.O. – Purchase Order). Multiple collected samples were disguised as files with extensions of pdf and xlsx.

  • EventSourceAttrib.exe
  • DHL SHIPMENT NOTIFICATION.exe
  • New Order 099923512489_pdf.exe
  • PO 20220608.exe
  • DEPOSIT SLIP.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/39627/

Tags: BACKDOOR, BROWSER, LEAK, EXPLOIT, SPAM