Top 10 Malware August 2022

In August 2022, the Top 10 Malware line-up changed considerably compared to the previous month. This month, LingyunNET, RecordBreaker, and TeamSpy made their first appearance, while SocGholish and Tinba returned to the Top 10 malware. LingyunNET is riskware that utilizes the victim's system resources. RecordBreaker is the successor to Racoon Stealer. RecordBreaker is an infostealer sold as malware-as-a-service on underground forums and steals data such as passwords, cookies, browser data, etc. TeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims. The Top 10 Malware variants comprised 47% of the total malware activity in August 2022, decreasing four percent from July 2022.

MS-ISAC Malware Notifications TLP WHITE August 2022 thumbnail

 
Top 10 Malware TLP WHITE August 2022 thumbnail

Malware Infection Vectors

The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC has not had any malware in the Top 10 use the initial infection vector Network in the past year. Some malware employ different vectors in different contexts and are thus tracked as Multiple.

In August 2022, Multiple replaced Malvertisement as the top initial infection vector due to the recent SocGholish campaign and to the end of the Shlayer campaign. Activity levels for Malspam and Multiple increased, while activity for Dropped and Malvertisement decreased. It is likely that Multiple will remain the primary infection vector in the coming months as SocGholish’s campaign persists and other malware add initial infection methods to increase the span of their campaign. The Multiple category can include several vectors, and as such, it tends to increase and decrease at unpredictable rates, making trend analysis challenging. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 malware as it is one of the oldest, most reliable primary initial infection vectors used by cyber threat actors in both this category and the Multiple category.


Top 10 Malware - Initial Infection Vectors TLP WHITE thumbnail

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently, Gh0st is using this technique.

Multiple – Malware that currently favors at least two vectors. Currently, CoinMiner, LingyunNet, RecordBreaker, SocGholish, TeamSpy, and ZeuS are the malware utilizing multiple vectors.

Malspam – Unsolicited emails either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include Agent Tesla, NanoCore, and Tinba.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants. The below IOCs are for the purpose of threat hunting and may not be inherently malicious.

Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.  

SocGholish

SocGholish is a RAT and a banking trojan that uses fake Flash Updates to drop a NetSupport RAT payload.

Domains

  • irsbusinessaudit[.]net
  • irsgetwell[.]net
  • common.dotviolationsremoval[.]com
  • d2j09jsarr75l2.cloudfront[.]net
  • mafia.carverdesigngroup[.]com
  • cruize.updogtechnologies[.]com
  • record.usautosaleslv[.]com
  • hunter.libertylawaz[.]com
  • requests.pleaseactivate[.]me
  • zoom.themyr2bpodcast[.]com
  • accounts.mynewtopboyfriend[.]store
  • restructuring.breatheinnew[.]life
  • activation.thepowerofhiswhisper[.]com
  • sonic.myr2b[.]me
  • baget.godmessaged[.]me
  • predator.foxscalesjewelry[.]com
  • amplifier.myjesusloves[.]me
  • episode.foxscales[.]com
  • active.aasm[.]pro
  • tickets.kairosadvantage[.]com
  • templates.victoryoverdieting[.]com
  • casting.faeryfox[.]com
  • wallpapers.uniquechoice-co1[.]com
  • basket.stylingtomorrow[.]com
  • vacation.thebrightgift1[.]com
  • wallpapers.uniquechoice-co[.]com
  • vacation.thebrightgift[.]com
  • cigars.pawscolours[.]com
  • premium.i5417[.]com
  • rituals.fashionediter[.]com
  • expense.brick-house[.]net
  • loans.mistakenumberone[.]com
  • soendorg[.]top

ZeuS

ZeuS is a modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

MD5 Hashes

2db9ee63581f0297d8ca118850685602
306cbc3c0d2b83e57a68dec63a37f22f
416cfb5badf096eef29731ee3bcba7ce
5e5e46145409fb4a5c8a004217eef836
ae6cdc2be9207880528e784fc54501ed
d93ca01a4515732a6a54df0a391c93e3

CoinMiner 

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may vary. CoinMiner spreads through malspam or is dropped by other malware.

MD5 Hashes

90db8de2457032f78c81c440e25bc753
d985ca16ee4e04ce765e966f1c68348f
f2184f47be242eda117037600760c3d7
4fd9592b8bf4db6569607243997cb365

TeamSpy

TeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims.

IPs

185[.]141[.]63[.]172
193[.]242[.]211[.]141

Domains

These are domains created by a generation algorithm (DGA).

  • Aidjthx[.]ru
  • aqzisud[.]ru
  • ayozgqi[.]ru
  • aypukww[.]ru
  • bjrmctw[.]com
  • brgnkyw[.]com
  • bzdsodx[.]com
  • cefndxb[.]net
  • disriou[.]info
  • dlylbux[.]info
  • eggrewv[.]ua
  • egtobdw[.]ua
  • embwhdk[.]ua
  • emrdtbx[.]ua
  • endtcww[.]ua
  • enxjicu[.]ua
  • eolptdd[.]ua
  • eudauew[.]ua
  • eugnhuw[.]ua
  • gjdhcdw[.]com
  • kdttmii21916368[.]ua
  • khuddqu24603344[.]ua
  • khvrder23620304[.]ua
  • kndexes24931024[.]ua
  • kneoeew24734416[.]ua
  • kxvfeow23554768[.]ua
  • qivoeeu[.]ru
  • rzawxds[.]com
  • uhgybdw[.]ua
  • uuxiqlu[.]ua
  • vixkknv[.]ru
  • wbikvir[.]com
  • wzhscse[.]com
  • yiwxukt[.]info
  • zbjqrus[.]ua
  • zfdboiu[.]ua
  • zhoppju[.]ua
  • zpueyer[.]ua
  • zukscuk[.]ua
  • zxfbihb[.]ua

NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

Domains

nanoboss[.]duckdns[.]org
justinalwhitedd554[.]duckdns[.]org
shahzad73[.]casacam[.]net
shahzad73[.]ddns[.]net

SHA256 Hashes

  • c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
  • dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
  • ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
  • 0195b0fbff91bece4665d8189bec104e44cdec85b6c26f60023a92dece8ca713
  • 098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
  • 2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
  • 28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055
  • 4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545
  • 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
  • 959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
  • 988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

LingyunNet

LingyunNet is riskware that utilizes the victims system resources.

Domains

  • ampc.na.lb[.]holadns[.]com
  • ampc.na.lb[.]martianinc[.]co

Agent Tesla

Agent Tesla is a RAT that can exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

SHA256 Hashes

Initial Infection File
7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45

First Stage dll module
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

XLL Droppers
fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12

Final Agent Tesla Payload
ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3
f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27

Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

SHA256 Hashes

00ab075162a48e4803e886e83f255a0f6b040d1299a5acaed5a363bed263c3dd
7a8efd5489f2eda373fea5c3ce518e8a463d52a223ab9c7683e88a1d3a5f7f0d
6e6d2f358f33d9ab10191ca731d2ff3300bc0e91cf4f865daa5a9ed183eda7ec

RecordBreaker

RecordBreaker is an infostealer that is the successor to Racoon Stealer. RecordBreaker is sold as malware-as-a-service on underground forums, and it steals data such as passwords, cookies, browser data, etc.

IPs

206[.]188[.]196[.]200
5[.]252[.]177[.]47
78[.]159[.]103[.]195

Tinba

Tinba (aka Tiny Banker) is a banking trojan, known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms and is primarily disseminated via exploit kits.