March 29, 2023

Malware describes any malicious program created to wreak havoc or mischief on a computer system. Thanks to the constant push-and-pull between security professionals and cybercriminals, it’s also an ever-evolving ecosystem. Shifts in the malware environment change every year, although long-term trends are identifiable in year-over-year data reports.

Despite numerous anti-malware measures, cybercriminals and hackers don’t give up quickly, especially not as long as there’s money to be made in malware. Some traditionally-popular forms of malware appear to be losing traction in 2022 as cybercriminals change their tactics to attack new or underutilized vulnerabilities.

Source : CIS Security

Below are the Top Malware ranked in order of prevalence in alphabetical order. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top Malware variants. Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.

Advertisements
Source : CIS Security

Like last year 2021, Emotet, XMRig, Formbook are the most prevailed malwares of this year too. Since we discussed the same in last year blog – Most Headlined Malware 2021. Other families are discussed below

Agent Tesla

Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

SHA256 Hashes

  • 7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45
  • c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
  • fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
  • 7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
  • ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3
  • f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
  • 12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
  • 3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a
  • 5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
  • 9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27

CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may vary. CoinMiner spreads through malspam or is dropped by other malware.

MD5 Hashes

  • 90db8de2457032f78c81c440e25bc753
  • d985ca16ee4e04ce765e966f1c68348f
  • f2184f47be242eda117037600760c3d7
  • 4fd9592b8bf4db6569607243997cb365

Delf

Delf is a family of malware with multiple variants written in the Delphi programming language, where most are downloaders. Campaigns, targets, infection vectors and capabilities vary based on the variant. Delf has multiple initial infection vectors, such as: dropped, malspam, or unintentional downloaded from a malicious website. Some of the abilities Delf variants exhibit include: backdoor or proxy functionality, stealing information, terminating antivirus applications, and mass mailing.

Domains

  • cmps.58sky.com
  • http://www.58sky.com
  • downloader-file840135003.payinstalldownload.ru
  • www88.58sky.com
  • downloader-file667365491.downloadtorrent.ru
  • downloader-file130432645.img-world.ru
  • update-fortnite.tk
  • downloader-file215521936.payinstalldownload.ru
  • fdsfsfsfs.xyz
  • kilimadzhara.xyz
Advertisements

Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

MD5 Hashes

  • 9af77f89a565143983fa008bbd8eedee
  • a2469f4913f1607e4207ba0a8768491c
  • a88e0e5a2c8fd31161b5e4a31e1307a0

Gravity RAT

GravityRAT is a RAT that affects Windows, MacOS, and Android. GravityRAT’s abilities include file exfiltration, remote command execution, keystroke logging. screenshot capture, and anti-analysis techniques.

SHA256 Hashes

  • 99dd67915566c0951b78d323bb066eb5b130cc7ebd6355ec0338469876503f90
  • 1c0ea462f0bbd7acfdf4c6daf3cb8ce09e1375b766fbd3ff89f40c0aa3f4fc96
  • 6a7eb19aa86d7915ef5a1f91ac623245c371544428445c4d8658da7e824f5f08
  • 69fa88b7c4d2dd9f2a1989178147f8418dec963a78969fa96977c18076e2a8526.

Jupyter

Jupyter aka SolarMarker, is a highly evasive and adaptive .NET infostealer that is downloaded by leveraging SEO-poisoning to create watering hole sites for the purpose of deceiving unsuspecting users to visit the website and download a malicious document, often a zip or PDF file embedded with a malicious executable. Jupyter primarily targets browser data in browsers such as Chrome, Chromium, and Firefox and has full backdoor functionality.

IPs

  • 37.120.233.92
  • 89.44.9.108
  • 92.204.160.101
  • 92.204.160.114
  • 146.70.101.97
  • 146.70.53.153
  • 146.70.40.236
  • 193.29.104.89

LingyunNet

LingyunNet is riskware that utilizes the victim’s system resources.

Domains

  • ampc.na.lb.holadns.com
  • ampc.na.lb.martianinc.co
  • zcky.na.lb.holadns.com
  • zcky.na.lb.martianinc.co
Advertisements

Mirai

Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.

IPs

  • 46.249.32.12
  • 62.197.136.157

SHA256 Hashes

  • 0a38acadeb41536f65ed89f84cc1620fb79c9b916e0d83f2db543e12fbfd0d8c
  • 3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d
  • 4f2f4d758d13a9cb2fd4c71e8015ba622b2b4c1c26ceb1114b258d6e3c174010
  • 1ddbc3bf9de79d293821f6c8780115860677b696773693d665ff44cdc62a51c3

NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

Domains

  • nanoboss.duckdns.org
  • justinalwhitedd554.duckdns.org
  • shahzad73.casacam.net
  • shahzad73.ddns.net

SHA256 Hashes

  • c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
  • dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
  • ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
  • 0195b0fbff91bece4665d8189bec104e44cdec85b6c26f60023a92dece8ca713
  • 098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
  • 2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
  • 28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055
  • 4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545
  • 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
  • 959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
  • 988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

QakBot

QakBot is a multifunctional banking trojan that targets financial information, moves laterally across networks, and provides access to other malware, including ransomware. It is spread via malspam that often leverages thread hijacking.

IPs

  • 37.252.0.102
  • 74.15.2.252
  • 76.169.147.192
  • 41.228.22.180
  • 103.87.95.133
  • 103.88.226.30
  • 105.226.83.196
  • 109.228.220.196
  • 143.0.34.185
  • 176.205.119.81
  • 181.118.183.98
  • 187.207.48.194
  • 191.17.223.93
  • 201.211.64.196
  • 31.48.166.122
  • 39.44.144.159
  • 45.46.53.140
  • 45.9.20.200
  • 47.180.172.159
  • 47.23.89.62
  • 47.23.89.62:993
  • 72.252.201.34
  • 75.113.214.234
  • 76.69.155.202
  • 83.110.75.97
  • 86.97.11.43
  • 86.98.208.214
  • 86.98.33.141
  • 96.29.208.97
  • 100.1.108.246
  • 103.107.113.120
  • 103.139.243.207
  • 103.246.242.202
  • 109.12.111.14
  • 117.248.109.38
  • 121.74.167.191
  • 140.82.49.12
  • 140.82.63.183
  • 144.202.2.175
  • 172.114.160.81
  • 173.21.10.71
  • 175.145.235.37
  • 187.102.135.142
  • 191.99.191.28
  • 196.233.79.3
  • 203.122.46.130
  • 209.197.176.40
  • 217.128.122.65
  • 42.235.146.7
  • 46.107.48.202
  • 47.156.191.217
  • 5.32.41.45
  • 66.98.42.102
  • 68.204.7.158
  • 71.13.93.154
  • 71.74.12.34
  • 72.76.94.99
  • 75.99.168.194
  • 76.25.142.196
  • 90.120.65.153
  • 93.48.80.198
  • 94.59.138.62
  • 102.182.232.3
  • 108.60.213.141
  • 125.168.47.127
  • 140.82.63.183
  • 144.202.2.175
  • 144.202.3.39
  • 148.64.96.100
  • 149.28.238.199
  • 173.174.216.62
  • 174.69.215.101
  • 176.67.56.94
  • 179.158.105.44
  • 181.208.248.227
  • 182.191.92.203
  • 187.251.132.144
  • 190.252.242.69
  • 190.73.3.148
  • 202.134.152.2
  • 208.107.221.224
  • 24.178.196.158
  • 31.35.28.29
  • 32.221.224.140
  • 37.186.54.254
  • 37.34.253.233
  • 38.70.253.226
  • 40.134.246.185
  • 41.230.62.211
  • 41.38.167.179
  • 45.63.1.12
  • 45.76.167.26
  • 67.209.195.198
  • 70.46.220.114
  • 73.151.236.31
  • 76.70.9.169
  • 78.87.206.213
  • 80.11.74.81
  • 81.215.196.174
  • 82.152.39.39
  • 84.241.8.23:32103
  • 85.246.82.244
  • 91.177.173.10
  • 92.132.172.197
  • 72.12.115.90
  • 101.99.95.146
  • 185.82.127.231
  • 185.172.129.84
  • 185.235.247.119
  • 187.250.114.15

SHA256 Hashes

  • abc27c69742e00e713ff8229f8a59b285f09d41087db8ad2520ebaa45ecc721a
  • f868253b34e11c233326d0f0a74d55ba0191be645569256a8ae5d861afb29420
  • 2df3858be48c17a61684fa267a8885634053467c883fe04cd875fb5ebe21ae8c
  • Accbe0818487ccaa487f24abe838c1e2f3c3bc263ee941f2ae7c0a682803be79
  • D20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
  • 78db8f8d22bf3f7440b1abe9f121c9fcf009f648b629f9e22c8d8afb1d585da7
  • b1e6a7a3e2597e51836277a32b2bc61aa781c8f681d44dfddea618b32e2bf2a6

MD5 Hashes

  • b54dbb1431a8fa4edfce5a2373482133
  • c01c463e2e821fecaae7ca17bd75f5e2
  • e8f99ccb8d4678955c8d34734b956f9a
  • ff8044d1a42fdc1ecd980766d7a6ca6d
  • 202d6895d1ddd74cedba7da709b471d8
  • 43637a386dbdb83a68293fcf46a5ca1d
  • 84d2856f8e597b31377d0b94d2dc3f34
Advertisements

RecordBreaker

RecordBreaker is an infostealer that is the successor to Racoon Stealer. RecordBreaker is sold as malware-as-a-service on underground forums, and it steals data such as passwords, cookies, browser data, etc.

IPs

  • 206.188.196.200
  • 5.252.177.47
  • 78.159.103.195

RedLine

RedLine is an infostealer available for purchase on cyber-criminal forums. Campaigns, targets, infection vectors and capabilities vary based on the version purchased. The malware typically targets information that can be easily monetized, such as credentials, cookies, banking information, and cryptocurrency wallet information. Additionally, the malware gathers information about the infected system such as web-browser, FTP clients, instant messengers, VPN services, and gaming clients.  Furthermore, RedLine has remote functionality allowing it to download further malicious tools or drop

IPs

  • 193.203.203.82

SHA256 Hashes

  • 6d4cdcc2b3df89d5e9168a59b6cb286c949421b967425c0d0ddfb0be48a9816e

Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern <api.random_name.com>. Below area several examples of domains Shlayer uses.

Domains

  • api.interfacecache.com
  • api.scalableunit.com
  • api.typicalconfig.com
  • api.standartanalog.com
  • api.fieldenumerator.com
  • api.practicalsprint.com
  • api.searchwebsvc.com
  • api.connectedtask.com
  • api.navigationbuffer.com
  • api.windowtask.com

SHA256 Hashes

  • d49ee2850277170d6dc7ef5f218b0697683ffd7cc66bd1a55867c4d4de2ab2fb
  • 97ef25ad5ffaf69a74f8678665179b917007c51b5b69d968ffd9edbfdf986ba0
  • 05b9383b6af36e6bf232248bf9ff44e9120afcf76e50ac8aa28f09b3307f4186
  • 907c31b2da15aa14d06c6e828eef6ca627bd1af88655314548f747e5ed2f5697
  • 9ceea14642a1fa4bc5df189311a9e01303e397531a76554b4d975301c0b0e5c8
  • ea86178a3c0941fd6c421c69f3bb0043b768f68ed84ecb881ae770d7fb8e24ed

Snugy

Snugy is a PowerShell-based backdoor allowing the attacker to obtain the system’s hostname and to run commands. This backdoor communicates through a DNS tunneling channel on the compromised server.

SHA256 Hashes

6c13084f213416089beec7d49f0ef40fea3d28207047385dda4599517b56e127

SocGholish

SocGholish is a downloader written in JavaScript that is distributed through malicious or compromised websites. It uses fake updates, such as Flash Updates or browser updates. SocGholish has been known to use Cobalt Strike and steal information. Additionally, it has been known to lead to further malware infections, such as Azorult, Dridex, NetSupport RAT, and sometimes ransomware.

Domains

  • irsbusinessaudit.net
  • irsgetwell.net
  • common.dotviolationsremoval.com
  • d2j09jsarr75l2.cloudfront.net
  • mafia.carverdesigngroup.com
  • cruize.updogtechnologies.com
  • record.usautosaleslv.com
  • hunter.libertylawaz.com
  • requests.pleaseactivate.me
  • zoom.themyr2bpodcast.com
  • accounts.mynewtopboyfriend.store
  • restructuring.breatheinnew.life
  • activation.thepowerofhiswhisper.com
  • sonic.myr2b.me
  • baget.godmessaged.me
  • predator.foxscalesjewelry.com
  • amplifier.myjesusloves.me
  • episode.foxscales.com
  • active.aasm.pro
  • tickets.kairosadvantage.com
  • templates.victoryoverdieting.com
  • casting.faeryfox.com
  • wallpapers.uniquechoice-co1.com
  • basket.stylingtomorrow.com
  • vacation.thebrightgift1.com
  • wallpapers.uniquechoice-co.com
  • vacation.thebrightgift.com
  • cigars.pawscolours.com
  • premium.i5417.com
  • rituals.fashionediter.com
  • expense.brick-house.net
  • loans.mistakenumberone.com
  • soendorg.top
  • prompt.zonashoppers.academy
  • hair.2topost.com
  • clean.godmessagedme.com
  • secretary.rentamimi.com
  • custom.usmuchmedia.com
Advertisements

TeamSpy

TeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims.

IPs

  • 185.141.63.172
  • 193.242.211.141

Domains

  • Aypbwhw.ru
  • Bboazuw.com
  • Bbvdjuw.com
  • Bjwoquv.com
  • Brozbsw.com
  • Ckrokei.net
  • Diczhcx.info
  • Dlylbux.info
  • Dtnpzec.info
  • eggrewv.ua
  • egtobdw.ua
  • emrdtbx.ua
  • endtcww.ua
  • eubjdjx.ua
  • eugnhuw.ua
  • gjdhcdw.com
  • gragcdw.com
  • hkaauvb.net
  • jmqmcdq.info
  • khuddqu24603344.ua
  • khvrder23620304.ua
  • kvbinbw23685840.ua
  • kxvfeow23554768.ua
  • qivoeeu.ru
  • rrlqlzv.com
  • uhgybdw.ua
  • uuxiqlu.ua
  • wzoodor.com
  • xknyajr.net
  • xsdbflb.net
  • ydfhzrx.info
  • ydxemre.info
  • ylfoopp.info
  • ytlqxzq.info
  • zbmgsbi.ua
  • zetuhne.ua
  • zfdboiu.ua
  • zftdlxd.ua
  • zhoppju.ua
  • zouiols.ua
  • zoumzgb.ua
  • zozlwla.ua
  • zueclka.ua
  • zwadpme.ua
  • zxfbihb.ua

Ursnif

Ursnif, also known as Gozi or Dreambot, is a banking trojan that is spread through malspam with a Microsoft Office document attached or a ZIP file containing an HTA file. Ursnif collects victim information from cookies, login pages, web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software.

Domains

  • expl.intorcafli.art
  • hop.feen007.at
  • iujdhsndjfks.com
  • kol.dsasghqwt.com
  • turialopatnds.live
  • wdeiqeqwns.com
  • weiqeqwens.com
  • weiqeqwns.com
  • weiqewqwns.com

IPs

  • 185.240.103.83
  • 45.8.158.104

ZeuS

 ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may be other malware using parts of the ZeuS code.

IPs

  • 62.182.156.187

MD5 Hashes

  • 2db9ee63581f0297d8ca118850685602
  • 306cbc3c0d2b83e57a68dec63a37f22f
  • 416cfb5badf096eef29731ee3bcba7ce
  • 5e5e46145409fb4a5c8a004217eef836
  • ae6cdc2be9207880528e784fc54501ed
  • d93ca01a4515732a6a54df0a391c93e3
Tags:

Leave a Reply

You may have missed

Apple Backports ZeroDay Patches for older devices

Apple Backports ZeroDay Patches for older devices

March 28, 2023
Apache Fineract Vulnerabilities

Apache Fineract Vulnerabilities

March 28, 2023
IceID Malware Shifting Focus to Ransomwares

IceID Malware Shifting Focus to Ransomwares

March 28, 2023
Sun Pharma suffers a Security Incident

Sun Pharma suffers a Security Incident

March 28, 2023
Twitter Source Code Leak on Git

Twitter Source Code Leak on Git

March 27, 2023
Okta Credentials Exposed via Post Exploitation Attack

Okta Credentials Exposed via Post Exploitation Attack

March 27, 2023
%d bloggers like this: