Top 10 Malware Q1 2023
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
Published April 27, 2023
In Q1 2023, the quarterly Top 10 Malware remained consistent with the previous quarter, with the majority of malware switching spots. SessionManager2 took the number one spot in Q1, comprising 55% of the Top 10 Malware incidents that the MS-ISAC detected. Additionally, Agent Tesla, CoinMiner, Gh0st, NanoCore, and SessionManager2 activity increased, while Ursnif and ZeuS activity decreased. Furthermore, we saw Laplas, Netshta, and ViperSoftX make their first appearance in the quarterly Top 10 Malware.
- Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
- Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
- ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it's distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
- SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables cyber threat actors (CTAs) to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
In Q1, malware increased 20% compared to Q4 2022, while the Top 10 Malware increased 79%. The Top 10 Malware variants comprised 67% of the total malware activity in Q1 2023, increasing 10% compared to the previous quarter.
Malware Infection Vectors
The MS-ISAC tracks potential initial infection vectors for our Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.
Our Community Defense Model (CDM) v2.0 can help you defend against 77% of ATT&CK (sub-)techniques associated with malware – regardless of the infection vector they use. Learn more in the video below.
In Q1 2023, the top initial infection vector was Dropped due to an increase in SessionManager2 activity. Activity levels for Dropped and Malspam increased, while activity levels for Multiple decreased. Although Dropped is the top initial infection vector, it is likely that Multiple will replace Dropped as the top initial infection vector in Q2 2023 as other malware add initial infection methods to increase the span of their campaigns and the likelihood of success. Dropped may remain the primary infection vector in the coming months so long as SessionManager2 continues its campaign and holds its place at the top of the quarterly Top 10 malware. The most popular combination for the Multiple initial infection vector is Malspam and Dropped. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the most reliable primary initial infection vectors.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st and SessionManager2 are the only Top 10 malware currently using this technique.
Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla, NanoCore, and Ursnif are currently using this technique.
Multiple – Malware that currently favors at least two vectors, such as Dropped or Malspam. Currently, CoinMiner, Laplas, Neshta, ViperSoftX, and ZeuS are malware utilizing multiple vectors.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
1. SessionManager2
SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
MD5 Hashes
5FFC31841EB3B77F41F0ACE61BECD8FD
84B20E95D52F38BB4F6C998719660C35
4EE3FB2ABA3B82171E6409E253BDDDB5
2410D0D7C20597D9B65F237F9C4CE6C9
2. CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through Malspam or is dropped by other malware.
MD5 Hashes
90db8de2457032f78c81c440e25bc753
IPs
199[.]247[.]27[.]41
3. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
Domains
Mail[.]euroinkchemical[.]ro
mail[.]nobilenergysolar[.]com
SHA256 Hashes
Initial Infection File
7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45
XLL Droppers
fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
Final Agent Tesla Payload
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
4. NanoCore
NanoCore is a RAT spread via Malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
Domains
nanoboss[.]duckdns[.]org
justinalwhitedd554[.]duckdns[.]org
shahzad73[.]casacam[.]net
shahzad73[.]ddns[.]net
power22[.]myftp[.]org
SHA256 Hashes
c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7
5. Gh0st
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that enables an attacker to fully control the infected device.
MD5 Hashes
77bd9926a4b41c14259e20c1f90e22aa
6. ZeuS
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.
Domains
cylt01cloudsim01[.]safebreach[.]net
MD5 Hashes
2db9ee63581f0297d8ca118850685602
416cfb5badf096eef29731ee3bcba7ce
ae6cdc2be9207880528e784fc54501ed
8ad4fb848a323b62036ea463fcf58993
7. Ursnif
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through Malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
Domains
Gameindikdowd[.]ru
Iujdhsndjfks[.]ru
Jhgfdlkjhaoiu[.]su
reggy506[.]ru
renewbleenergey[.]ru
uelcoskdi[.]ru
IPs
185[.]189[.]151[.]38
185[.]189[.]151[.]61
194[.]58[.]102[.]187
194[.]76[.]224[.]95
194[.]76[.]227[.]159
31[.]214[.]157[.]31
45[.]11[.]182[.]30
79[.]132[.]128[.]228
91[.]241[.]93[.]111
94[.]198[.]54[.]97
8. Laplas
Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
Domains
Clipper[.]guru
IPs
185[.]223[.]93[.]251
188[.]34[.]207[.]137
45[.]159[.]189[.]105
79[.]137[.]199[.]252
9. ViperSoftX
ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it's distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
Domains
apzgt[.]com
apzlkg[.]com
argxztbe[.]com
arrowlchat[.]com
arykd[.]com
awoeru[.]com
bmyfz[.]com
byzvp[.]com
bzepuq[.]com
cdlxgun[.]com
chatgigi2[.]com
cikuwqhrg[.]com
coeuzxk[.]com
craje[.]com
dtoabvxl[.]com
dxwoi[.]com
eafxp[.]com
efsidlop[.]com
elipjo[.]com
eoishgc[.]com
eovykq[.]com
fbtcidr[.]com
ficrolun[.]com
fitbh[.]com
fjvezin[.]com
fvzgab[.]com
fyuncsv[.]com
gcvhixt[.]com
hjizca[.]com
hmtsiqcf[.]com
huict[.]com
iqsxetmug[.]com
iqwcrpyn[.]com
ironz[.]com
iudobjg[.]com
iwaqzhtxj[.]com
jesucwp[.]com
jfgqwxt[.]com
jfumw[.]com
jmzqrhdi[.]com
juobngtm[.]com
jvxbn[.]com
jwxvktr[.]com
jxkfr[.]com
kqidl[.]com
kzvure[.]com
lchtne[.]com
leqxyw[.]com
ljusxki[.]com
lmfho[.]com
lpohvzyd[.]com
lurpk[.]com
mpcnliydb[.]com
msjwl[.]com
njtgwcha[.]com
nlkxzgm[.]com
nmvprzdhf[.]com
nqzpcudae[.]com
ocluhxgpy[.]com
ofxdyqc[.]com
ohkfzawnj[.]com
ondxgiz[.]com
pfxqh[.]com
pstyx[.]com
pzguloqb[.]com
qogrzu[.]com
rcbxmzu[.]com
rimfugvz[.]com
rjcfoabns[.]com
segin[.]com
sgtuxbhz[.]com
sitdrjouq[.]com
suclfpbnw[.]com
tlnikcyqd[.]com
tvrcuohz[.]com
tzsxbynvr[.]com
ugxqj[.]com
umnfw[.]com
uwfmz[.]com
vewga[.]com
vqjumd[.]com
wopsyqi[.]com
xcakdisve[.]com
xsdmcy[.]com
xvfnhw[.]com
yjghwcxel[.]com
ysawrbi[.]com
zcdkjqwgn[.]com
zeiyusv[.]com
zjyhc[.]com
zqiwma[.]com
zrhcnxva[.]com
10. Neshta
Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
SHA256 Hashes
29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
539452719c057f59238e123c80a0a10a0b577c4d8af7a5447903955e6cf7aa3d
a4d0865565180988c3d9dbf5ce35b7c17bac6458ef234cfed82b4664116851f2
46200c11811058e6d1173a2279213d0b7ccde611590e427b3b28c0f684192d00
c965f9503353ecd6971466d32c1ad2083a5475ce64aadc0b99ac13e2d2c31b75
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.