Top 10 Malware June 2022

In June 2022, with the exception of GravityRAT, Mirai, and QakBot returning to the Top 10, the lineup remained consistent with the previous month’s Top 10 Malware. GravityRAT is a RAT that affects Windows, MacOS, and Android. GravityRAT’s abilities include file exfiltration, remote command execution, keystroke logging. screenshot capture, and anti-analysis techniques. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices to conduct large-scale DDoS attacks. QakBot is a multifunctional banking trojan that targets financial information, moves laterally across networks, and provides access to other malware, including ransomware. The Top 10 Malware variants comprise 47% of the total malware activity in June 2022, decreasing 16% from May 2022.

MS-ISAC Malware Notifications TLP WHITE June 2022 blog graphic

Top 10 Malware TLP WHITE June 2022 blog graphic

Malware Infection Vectors

The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC has not had any malware in the Top 10 use the initial infection vector Network in the past year. Some malware employ different vectors in different contexts and are thus tracked as Multiple.

In June 2022, Malvertisement accounted for the greatest number of alerts. Malvertisement remains the top initial infection vector due to Shlayer activity. Activity levels for Malspam, Malvertisement, and Multiple decreased, while activity for Dropped increased. It is likely that Malvertisement will remain the primary infection vector in the coming months as Shlayer permeates much of the education sector. Of note, Shlayer activity has decreased over the last two months, with its most recent decrease of 44% from May to June. The Multiple category can include several vectors, and as such, it tends to increase and decrease at unpredictable rates, making trend analysis challenging. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 malware as it is one of the oldest, most reliable, primary initial infection vectors used by cyber threat actors in both this category and the Multiple category.

Top 10 Malware - Initial Infection Vectors TLP WHITE June 2022 blog graphic 

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently, Gh0st and Mirai are using this technique.

Multiple – Malware that currently favors at least two vectors. Currently, CoinMiner, GravityRAT, RedLine, and ZeuS  are the malware utilizing multiple vectors.

Malspam – Unsolicited emails either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include Agent Tesla, NanoCore, and QakBot.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants. The below IOCs are for the purpose of threat hunting and may not be inherently malicious.

Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.  

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertising posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern, <api.random_name.com>. Below area several examples of domains Shlayer uses.</api.random_name.com>

Domains

  • api[.]interfacecache[.]com
  • api[.]scalableunit[.]com
  • api[.]typicalconfig[.]com
  • api[.]standartanalog[.]com
  • api[.]fieldenumerator[.]com
  • api[.]practicalsprint[.]com
  • api[.]searchwebsvc[.]com
  • api[.]connectedtask[.]com
  • api[.]navigationbuffer[.]com
  • api[.]windowtask[.]com

SHA256 Hashes
flashInstaller.dmg
disk image; initial download, usually in ~/Downloads
d49ee2850277170d6dc7ef5f218b0697683ffd7cc66bd1a55867c4d4de2ab2fb
97ef25ad5ffaf69a74f8678665179b917007c51b5b69d968ffd9edbfdf986ba0

Installer
found within a .app in a subfolder of /private/var/folders
Mach-O macOS binary; self-signed
05b9383b6af36e6bf232248bf9ff44e9120afcf76e50ac8aa28f09b3307f4186
907c31b2da15aa14d06c6e828eef6ca627bd1af88655314548f747e5ed2f5697

Install.dmg
9ceea14642a1fa4bc5df189311a9e01303e397531a76554b4d975301c0b0e5c8

Install.command
ea86178a3c0941fd6c421c69f3bb0043b768f68ed84ecb881ae770d7fb8e24ed

Behavioral IOCs
System utilities such as xxd, base64, openssl, curl, and unzip executed in succession can indicate the initial installation.

The Shell script uses ktemp and in some samples uses a -t switch followed by the character "x." These variants will create a temporary folder in Darwin_User_Temp_DIR with the prefix "x" followed by random character strings.

2. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may vary. CoinMiner spreads through malspam or is dropped by other malware.

MD5 Hashes
90db8de2457032f78c81c440e25bc753
d985ca16ee4e04ce765e966f1c68348f
f2184f47be242eda117037600760c3d7
4fd9592b8bf4db6569607243997cb365

3. QakBot

QakBot is a multifunctional banking trojan that targets financial information, moves laterally across networks, and provides access to other malware, including ransomware. It is spread via malspam that often leverages thread hijacking.

Note: The LNK file hash is a hash of rundll32.exe. QakBot has been sending malspam with a ZIP file. The file is an IMG file type that, once mounted, showed three documents: a Word document, a hidden DLL, and a LNK file. The LNK file used rundll32.exe to run the hidden DLL. The hash for the LNK file is included because if a U.S. State, Local, Tribal, or Territorial (SLTT) entity has a LNK file that has this hash, it is an indicator that there may be a compromise.

IPs

  • 37[.]252[.]0[.]102
  • 74[.]15[.]2[.]252
  • 76[.]169[.]147[.]192
  • 41[.]228[.]22[.]180
  • 103[.]87[.]95[.]133
  • 103[.]88[.]226[.]30
  • 105[.]226[.]83[.]196
  • 109[.]228[.]220[.]196
  • 143[.]0[.]34[.]185
  • 176[.]205[.]119[.]81
  • 181[.]118[.]183[.]98
  • 187[.]207[.]48[.]194
  • 191[.]17[.]223[.]93
  • 201[.]211[.]64[.]196
  • 31[.]48[.]166[.]122
  • 39[.]44[.]144[.]159
  • 45[.]46[.]53[.]140
  • 45[.]9[.]20[.]200
  • 47[.]180[.]172[.]159
  • 47[.]23[.]89[.]62
  • 47[.]23[.]89[.]62:993
  • 72[.]252[.]201[.]34
  • 75[.]113[.]214[.]234
  • 76[.]69[.]155[.]202
  • 83[.]110[.]75[.]97
  • 86[.]97[.]11[.]43
  • 86[.]98[.]208[.]214
  • 86[.]98[.]33[.]141
  • 96[.]29[.]208[.]97
  • 100[.]1[.]108[.]246
  • 103[.]107[.]113[.]120
  • 103[.]139[.]243[.]207
  • 103[.]246[.]242[.]202
  • 109[.]12[.]111[.]14
  • 117[.]248[.]109[.]38
  • 121[.]74[.]167[.]191
  • 140[.]82[.]49[.]12
  • 140[.]82[.]63[.]183
  • 144[.]202[.]2[.]175
  • 172[.]114[.]160[.]81
  • 173[.]21[.]10[.]71
  • 175[.]145[.]235[.]37
  • 187[.]102[.]135[.]142
  • 191[.]99[.]191[.]28
  • 196[.]233[.]79[.]3
  • 203[.]122[.]46[.]130
  • 209[.]197[.]176[.]40
  • 217[.]128[.]122[.]65
  • 42[.]235[.]146[.]7
  • 46[.]107[.]48[.]202
  • 47[.]156[.]191[.]217
  • 5[.]32[.]41[.]45
  • 66[.]98[.]42[.]102
  • 68[.]204[.]7[.]158
  • 71[.]13[.]93[.]154
  • 71[.]74[.]12[.]34
  • 72[.]76[.]94[.]99
  • 75[.]99[.]168[.]194
  • 76[.]25[.]142[.]196
  • 90[.]120[.]65[.]153
  • 93[.]48[.]80[.]198
  • 94[.]59[.]138[.]62
  • 102[.]182[.]232[.]3
  • 108[.]60[.]213[.]141
  • 125[.]168[.]47[.]127
  • 140[.]82[.]63[.]183
  • 144[.]202[.]2[.]175
  • 144[.]202[.]3[.]39
  • 148[.]64[.]96[.]100
  • 149[.]28[.]238[.]199
  • 173[.]174[.]216[.]62
  • 174[.]69[.]215[.]101
  • 176[.]67[.]56[.]94
  • 179[.]158[.]105[.]44
  • 181[.]208[.]248[.]227
  • 182[.]191[.]92[.]203
  • 187[.]251[.]132[.]144
  • 190[.]252[.]242[.]69
  • 190[.]73[.]3[.]148
  • 202[.]134[.]152[.]2
  • 208[.]107[.]221[.]224
  • 24[.]178[.]196[.]158
  • 31[.]35[.]28[.]29
  • 32[.]221[.]224[.]140
  • 37[.]186[.]54[.]254
  • 37[.]34[.]253[.]233
  • 38[.]70[.]253[.]226
  • 40[.]134[.]246[.]185
  • 41[.]230[.]62[.]211
  • 41[.]38[.]167[.]179
  • 45[.]63[.]1[.]12
  • 45[.]76[.]167[.]26
  • 67[.]209[.]195[.]198
  • 70[.]46[.]220[.]114
  • 73[.]151[.]236[.]31
  • 76[.]70[.]9[.]169
  • 78[.]87[.]206[.]213
  • 80[.]11[.]74[.]81
  • 81[.]215[.]196[.]174
  • 82[.]152[.]39[.]39
  • 84[.]241[.]8[.]23:32103
  • 85[.]246[.]82[.]244
  • 91[.]177[.]173[.]10
  • 92[.]132[.]172[.]197
  • 72[.]12[.]115[.]90
  • 101[.]99[.]95[.]146
  • 185[.]82[.]127[.]231
  • 185[.]172[.]129[.]84
  • 185[.]235[.]247[.]119
  • 187[.]250[.]114[.]15

SHA256 Hashes
abc27c69742e00e713ff8229f8a59b285f09d41087db8ad2520ebaa45ecc721a
f868253b34e11c233326d0f0a74d55ba0191be645569256a8ae5d861afb29420

.zip
2df3858be48c17a61684fa267a8885634053467c883fe04cd875fb5ebe21ae8c

.img
Accbe0818487ccaa487f24abe838c1e2f3c3bc263ee941f2ae7c0a682803be79

.docx
D20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93

.dll
78db8f8d22bf3f7440b1abe9f121c9fcf009f648b629f9e22c8d8afb1d585da7

LNK file
b1e6a7a3e2597e51836277a32b2bc61aa781c8f681d44dfddea618b32e2bf2a6

MD5 Hashes
b54dbb1431a8fa4edfce5a2373482133
c01c463e2e821fecaae7ca17bd75f5e2
e8f99ccb8d4678955c8d34734b956f9a
ff8044d1a42fdc1ecd980766d7a6ca6d
202d6895d1ddd74cedba7da709b471d8
43637a386dbdb83a68293fcf46a5ca1d
84d2856f8e597b31377d0b94d2dc3f34

Mutex
Global\{06253ADC-953E-436E-8695-87FADA31FDFB}

4. ZeuS

ZeuS is a modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

MD5 Hashes
2db9ee63581f0297d8ca118850685602
306cbc3c0d2b83e57a68dec63a37f22f
416cfb5badf096eef29731ee3bcba7ce
5e5e46145409fb4a5c8a004217eef836
ae6cdc2be9207880528e784fc54501ed
d93ca01a4515732a6a54df0a391c93e3

5. NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

Domains

  • nanoboss[.]duckdns[.]org
  • justinalwhitedd554[.]duckdns[.]org
  • shahzad73[.]casacam[.]net
  • shahzad73[.]ddns[.]net

SHA256 Hashes
c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
0195b0fbff91bece4665d8189bec104e44cdec85b6c26f60023a92dece8ca713
098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055
4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545
7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

6. GravityRAT

GravityRAT is a RAT that affects Windows, MacOS, and Android. GravityRAT’s abilities include file exfiltration, remote command execution, keystroke logging. screenshot capture, and anti-analysis techniques.

SHA256 Hashes
99dd67915566c0951b78d323bb066eb5b130cc7ebd6355ec0338469876503f90
1c0ea462f0bbd7acfdf4c6daf3cb8ce09e1375b766fbd3ff89f40c0aa3f4fc96
6a7eb19aa86d7915ef5a1f91ac623245c371544428445c4d8658da7e824f5f08
69fa88b7c4d2dd9f2a1989178147f8418dec963a78969fa96977c18076e2a852

7. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

SHA256 Hashes
00ab075162a48e4803e886e83f255a0f6b040d1299a5acaed5a363bed263c3dd
7a8efd5489f2eda373fea5c3ce518e8a463d52a223ab9c7683e88a1d3a5f7f0d
6e6d2f358f33d9ab10191ca731d2ff3300bc0e91cf4f865daa5a9ed183eda7ec

8. Agent Tesla

Agent Tesla is a RAT that can exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

SHA256 Hashes

Initial Infection File
7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45

First Stage dll module
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

XLL Droppers
fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12

Final Agent Tesla Payload
ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3
f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27

9. Mirai

Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial-of-service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.

IPs

  • 46[.]249[.]32[.]12
  • 62[.]197[.]136[.]157

SHA256 Hashes
0a38acadeb41536f65ed89f84cc1620fb79c9b916e0d83f2db543e12fbfd0d8c
3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d
4f2f4d758d13a9cb2fd4c71e8015ba622b2b4c1c26ceb1114b258d6e3c174010
1ddbc3bf9de79d293821f6c8780115860677b696773693d665ff44cdc62a51c3

10. RedLine

RedLine is an infostealer available for purchase on cyber-criminal forums. Campaigns, targets, infection vectors, and capabilities vary based on the version purchased. The malware typically targets information that can be easily monetized, such as credentials, cookies, banking information, and cryptocurrency wallet information. Additionally, the malware gathers information about the infected system such as web-browser, FTP clients, instant messengers, VPN services, and gaming clients. Furthermore, RedLine has remote functionality, enabling it to download further malicious tools or drop additional malware. 

IPs

  • 193[.]203[.]203[.]82

SHA256 Hashes
6d4cdcc2b3df89d5e9168a59b6cb286c949421b967425c0d0ddfb0be48a9816e