Top 10 Malware October 2022
Malware Infection Vectors
The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC has not had any malware in the Top 10 use the initial infection vector Network in the past year. Some malware employ different vectors in different contexts and are tracked as Multiple.
In October 2022, Multiple was the top initial infection vector. Activity levels for all initial infection vectors decreased except for Dropped, which increased due to Gh0st and SessionManager2 activity. It is likely that Multiple will remain the primary infection vector in the coming months as the trend of having more than one initial infection vector continues. Malware authors continue to add additional initial infection methods to increase the span of their campaign and the likelihood of success. The most popular ways of using Multiple initial infection vector is the combination of Malspam and Dropped. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 malware, as it is one of the oldest, most reliable initial infection vectors used by cyber threat actors.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st and SessionManager2 are the only two malware in the Top 10 list that are dropped.
Multiple – Malware that currently favors at least two vectors, such as Malspam and Dropped. Currently, Arechclient2, CoinMiner, RedLine, and ZeuS are the Top 10 malware utilizing multiple vectors.
Malspam – Unsolicited emails either direct users to malicious web sites or trick users into downloading or opening malware. The Top 10 Malware using this technique include Agent Tesla, NanoCore, Snugy, and Ursnif.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
Note: The associated URLs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.
1. CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.
MD5 Hashes
90db8de2457032f78c81c440e25bc753
d985ca16ee4e04ce765e966f1c68348f
f2184f47be242eda117037600760c3d7
4fd9592b8bf4db6569607243997cb365
2. ZeuS
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the ZeuS code.
MD5 Hashes
2db9ee63581f0297d8ca118850685602
306cbc3c0d2b83e57a68dec63a37f22f
416cfb5badf096eef29731ee3bcba7ce
5e5e46145409fb4a5c8a004217eef836
ae6cdc2be9207880528e784fc54501ed
d93ca01a4515732a6a54df0a391c93e3
3. Arechclient2
Arechclient2, aka SectopRAT, is a NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.
4. NanoCore
NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
Domains
nanoboss[.]duckdns[.]org
justinalwhitedd554[.]duckdns[.]org
shahzad73[.]casacam[.]net
shahzad73[.]ddns[.]net
power22[.]myftp[.]org
SHA256 Hashes
c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
0195b0fbff91bece4665d8189bec104e44cdec85b6c26f60023a92dece8ca713
098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055
4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545
7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7
5. SessionManager2
SessionManager2 is a malicious IIS module or backdoor that enables cyber threat actors to maintain persistent, update-resistant, and relatively stealthy access to infrastructure of a targeted entity.
MD5 Hashes
5FFC31841EB3B77F41F0ACE61BECD8FD
84B20E95D52F38BB4F6C998719660C35
4EE3FB2ABA3B82171E6409E253BDDDB5
2410D0D7C20597D9B65F237F9C4CE6C9
6. Agent Tesla
Agent Tesla is a RAT that can exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.
Domains
mail.euroinkchemical.ro
mail[.]nobilenergysolar[.]com
SHA256 Hashes
Initial Infection File
7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45
First Stage dll module
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
XLL Droppers
fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
Final Agent Tesla Payload
ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3
f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27
7. RedLine
RedLine is an infostealer that is available for purchase on cybercriminal forums. The multitude of cybercriminals purchasing RedLine means there are many distinct malware campaigns, infection vectors, targets, and version capabilities. The malware typically targets information that can be easily monetized, such as credentials, cookies, banking information, and cryptocurrency wallet information. Additionally, the malware gathers information about the infected system such as web-browser, FTP clients, instant messengers, VPN services, and gaming clients. Furthermore, RedLine has remote functionality that allows it to download further malicious tools or drop additional malware.
IPs
185[.]215[.]113[.]121
194[.]36[.]177[.]216
77[.]73[.]134[.]24
8. Snugy
Snugy is a PowerShell-based backdoor that allows the attacker to obtain the system’s hostname and run commands. This backdoor communicates through a DNS tunneling channel on the compromised server.
SHA256 Hashes
6c13084f213416089beec7d49f0ef40fea3d28207047385dda4599517b56e127
9. Ursnif
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that is spread through malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP address. A CTA then has the ability to execute system commands via command line, enabling them to perform further reconnaissance, as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
Domains
Ijduwhsbvk[.]com
Iujdhsndjfks[.]com
Siwdmfkshsgw[.]com
Wdeiqeqwns[.]com
Weiqeqwens[.]com
Weiqeqwns[.]com
Weiqewqwns[.]com
IPs
185[.]240[.]103[.]83
185[.]158[.]249[.]54
188[.]127[.]224[.]114
45[.]8[.]158[.]104
10. Gh0st
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.
MD5 Hashes
9af77f89a565143983fa008bbd8eedee
a2469f4913f1607e4207ba0a8768491c
a88e0e5a2c8fd31161b5e4a31e1307a0