Top 10 Malware Q3 2023
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center® (MS-ISAC®)
Published December 6, 2023
The Top 10 Malware in Q3 2023 saw some significant shifts from the previous quarter. RogueRaticate, Fake Browser, SocGholish, and Arechclient2 replaced Zeus, Laplas, DarkVision, and Amadey, which we featured in last quarter’s list. SocGholish took the number one spot in Q3, comprising 31% of the Top 10 Malware incidents detected by the MS-ISAC®. Meanwhile, RogueRaticate and Fake Browser made their first appearance on the quarterly Top 10 Malware list.
SocGholish, RogueRaticate, and Fake Browser are all in the Top 10 due to their recent campaigns using fake browser updates for initial access. Additionally, threat actors leveraging these malware often install the NetSupport Remote Access Tool, which was Q3’s top non-malware.
NanoCore was the second most active malware in Q3. It is a second-stage remote access trojan (RAT) that provides attackers with access to an infected machine.
Malware Infection Vectors
The MS-ISAC® tracks potential initial infection vectors for our Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.
The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware – regardless of the infection vector they use. Learn more in the video below.
In Q3 2023, the top initial infection vector changed from Multiple to Malvertisement due to an increase in SocGholish, RogueRaticate, and Fake Browser activity. Activity levels for both Dropped and Multiple decreased, while activity for Malspam and Malvertisement increased. The most popular combination for the Multiple initial infection vector was Malspam and Dropped.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor (CTA). Gh0st and Ratenjay are the only Top 10 Malware currently using this technique.
Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla and NanoCore are currently using this technique.
Multiple – Malware that currently uses at least two vectors, such as Dropped or Malspam. Currently, ArechClient2, CoinMiner, and ViperSoftX are malware using multiple vectors.
Malvertisement – Malware introduced through malicious advertisements. Currently, Fake Browser, RogueRaticate, and SocGholish are the only Top 10 Malware using this technique.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective IOCs are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
1. SocGholish
SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites. It uses fake software updates, such as browser updates or Flash updates, to trick users into downloading the malware. The malware uses multiple methods for traffic redirection and payload delivery, and it is known to use Cobalt Strike and steal information from the victim’s system. Additionally, SocGholish infections can lead to other CTA exploitation, such as downloading the NetSupport Remote Access Tool, the Async Remote Access Tool, and ransomware in some cases.
URLs
assay[.]porchlightcommunity[.]org
2. NanoCore
NanoCore is a RAT spread via malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and create a RunOnce key in the victim’s registry for persistence.
URLs
hadleyshope[.]3utilities[.]com
eu-central-7075[.]packetriot[.]net
nano8100[.]duckdns[.]org
IP Addresses
193[.]161[.]193[.]99
79[.]134[.]225[.]113
167[.]235[.]49[.]247
179[.]43[.]141[.]210
MD5 Hashes
42b86b1774e0634afa169f72a9ef08cb
a1d4eaa6f0f151d604a1e6f79583ff88
04b12e17ab63048b21b8996955aeee5a
2bd30803f1a6a7aa3f280e8da02ae04b
411e2a93398bddd6c13c105da83ca801
02d1d6119f13b83cab2278c3e43b08a9
1d615678fe4e768a0b8ff9f15d4a2884
2f7fc48c821a1ee87c7c95b069fe69ef
23ee6fc8b90d6619cc22f1f5577fa5ed
9d10e2af44800c5f5248adb48d22c687
47cf778895d5e51b3be5ada7f81f7907
b9ff56932963babf8acf628bb6d33daf
80a9f5a1f01d4716c15bcdc8d025a8b2
ba08c0723b7d96a47c83bc8d7111e01c
80225e6fc6a1c15d38a7c924641fdb84
88b17e26ef2c53627314448b4894bb9a
f224b4bb5f65abd0d093fb29584bf370
2916c6e4cefea97681e5f7d39afe1baa
9e48278fd8663c2722eb3ce7b5ae34e7
09768ed665365838e5f15dff9c5b3e74
bc15d9095a6d6fc6c794516a839793e4
4cfc0e1b4abecad9e5e862d34d9b014d
444f0a93e49f13d2863e4bbe80395e43
688e964feeb18ae69d6f9159e379a694
52b29489c928823c8da84a6e3d22fc12
b4280a4c2797d899137625740b57a144
ef0d014f8dd257f6bfb8fa7e4f6e5839
581d9f88bf2bf367e29bab4544111547
264e01e9cae9c9e1967ea892288bc9ae
af1ee91fdbf586c55760acccc9c6ea52
290fce33014ad508c6a7e7cf17c2e991
8cd95ee6d335088255f79db2579e8a98
91ddaf1628da8f0c1d532cd217a7f26d
c133a4df2fc42b747a8cf16603b66cfa
cc4785f780b286ccdaf01c38bbbc809d
d4e61a92ff8da165dbf4922816810d0f
cc4b8b6bbce04726a89a89c165241570
1cbfd7fcf52961bf55fbbe7dcfb42607
ed24b048880a8a2a3b7ac4911a7e81df
f4a329dff4849f902fe877e345e6d740
6e65813ad51126c4fcabcf6ad9267e26
56a626b9244c18ac768b5d3db7e014ed
f0ef2c3a320448b3a8ea0535da3b411b
68009cdd2529871592a32554ee184abd
81abca731625a26c26b7831db81c0e1e
a974ba2381279891bbb4b89e7b81329b
17bb37120b51ff2558ba2d2f9db05ec4
e758928032effa43ba8de94338661e9b
3. RogueRaticate
RogueRaticate is a downloader written in JavaScript that is distributed through malicious or compromised websites using fake browser updates. The payload for RogueRaticate is an HTML application file that is zipped or downloaded as a shortcut file. RogueRaticate infections are known to lead to further exploitation, such as CTAs downloading legitimate tools like the NetSupport Remote Access Tool.
4. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS). It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
5. Fake Browser
Fake Browser is a downloader written in JavaScript that is distributed through malicious or compromised websites using fake browser updates. Fake Browser is known to lead to additional infections, such as of the NetSupport Remote Access Tool.
6. ViperSoftX
ViperSoftX is a multi-stage cryptocurrency stealer. It is typically distributed as a malicious crack for popular software within torrents and filesharing sites.
Domains
eszhbxqo[.]com
dbtnqpi[.]com
tzfmb[.]com
kctunb[.]com
svxemnp[.]com
jgexi[.]com
odict[.]com
tjnhrpdco[.]com
takmnbj[.]com
vbytg[.]com
kpqunz[.]com
gzviab[.]com
sxwzdkbe[.]com
ewylto[.]com
ybzjisw[.]com
wqbvkntgj[.]com
wcpotjs[.]com
imgofxs[.]com
wgviu[.]com
jcmfdlip[.]com
altyeds[.]com
lbxzwns[.]com
ytknbj[.]com
uefcml[.]com
gpfnveoxt[.]com
xzlmyurth[.]com
ujsbhoi[.]com
xjymkrp[.]com
nkhsftpcj[.]com
mnpwtyvu[.]com
URLs
api[.]private-chatting[.]com
7. CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.
8. Arechclient2
Arechclient2, aka SectopRAT, is a NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and cryptocurrency wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.
MD5 Hashes
7b5ffc7abe4ca48da678b87c0f6b4c0a
9. Gh0st
Gh0st is a RAT used to control infected endpoints. It is dropped by other malware to create a backdoor for the attacker.
MD5 Hashes
2d330c354c14b39368876392d56fb18c
4E2D8CA775D0214E2532ACD778B91424
6B7CFB983A2DC2338B89CBADD837C801
62C6F595B570EAFDA24CAB01DC2E18A2
AC2F55CEFD715937E9584752B706712B
Domains
worldinfocontact[.]club
siekis[.]com
alienlol[.]com
a1free9bird[.]com
hodbeast[.]com
URLs
ip[.]yototoo[.]com
xiaoxiannv[.]gnway[.]net
icybin[.]flnet[.]org
bj6po[.]a1free9bird[.]com
beiyeye[.]401hk[.]com
tcp[.]nhntech[.]com
ad[.]jcrsoft[.]com
10. Ratenjay
Ratenjay is a RAT that is dropped by other malware or as a file download onto a victim’s system. It then executes commands remotely. It has keylogging capabilities.
IP Addresses
167[.]235[.]49[.]247
179[.]43[.]141[.]210
Ongoing Insights into the SLTT Threat Landscape
We continuously track new malware and other cyber threats in an effort to provide greater protection to U.S. SLTT entities.
Want more insights from the CTI team?
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.