Malware describes any malicious program created to wreak havoc or mischief on a computer system. Thanks to the constant push-and-pull between security professionals and cybercriminals, it’s also an ever-evolving ecosystem. Shifts in the malware environment change every year, although long-term trends are identifiable in year-over-year data reports.
Despite numerous anti-malware measures, cybercriminals and hackers don’t give up quickly, especially not as long as there’s money to be made in malware. Some traditionally-popular forms of malware appear to be losing traction in 2022 as cybercriminals change their tactics to attack new or underutilized vulnerabilities.
Below are the Top Malware ranked in order of prevalence in alphabetical order. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top Malware variants. Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.
Like last year 2021, Emotet, XMRig, Formbook are the most prevailed malwares of this year too. Since we discussed the same in last year blog – Most Headlined Malware 2021. Other families are discussed below
Agent Tesla
Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.
SHA256 Hashes
- 7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45
- c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565
- fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
- 7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
- ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3
- f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
- 12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
- 3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a
- 5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
- 9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27
CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may vary. CoinMiner spreads through malspam or is dropped by other malware.
MD5 Hashes
- 90db8de2457032f78c81c440e25bc753
- d985ca16ee4e04ce765e966f1c68348f
- f2184f47be242eda117037600760c3d7
- 4fd9592b8bf4db6569607243997cb365
Delf
Delf is a family of malware with multiple variants written in the Delphi programming language, where most are downloaders. Campaigns, targets, infection vectors and capabilities vary based on the variant. Delf has multiple initial infection vectors, such as: dropped, malspam, or unintentional downloaded from a malicious website. Some of the abilities Delf variants exhibit include: backdoor or proxy functionality, stealing information, terminating antivirus applications, and mass mailing.
Domains
- cmps.58sky.com
- http://www.58sky.com
- downloader-file840135003.payinstalldownload.ru
- www88.58sky.com
- downloader-file667365491.downloadtorrent.ru
- downloader-file130432645.img-world.ru
- update-fortnite.tk
- downloader-file215521936.payinstalldownload.ru
- fdsfsfsfs.xyz
- kilimadzhara.xyz
Gh0st
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
MD5 Hashes
- 9af77f89a565143983fa008bbd8eedee
- a2469f4913f1607e4207ba0a8768491c
- a88e0e5a2c8fd31161b5e4a31e1307a0
Gravity RAT
GravityRAT is a RAT that affects Windows, MacOS, and Android. GravityRAT’s abilities include file exfiltration, remote command execution, keystroke logging. screenshot capture, and anti-analysis techniques.
SHA256 Hashes
- 99dd67915566c0951b78d323bb066eb5b130cc7ebd6355ec0338469876503f90
- 1c0ea462f0bbd7acfdf4c6daf3cb8ce09e1375b766fbd3ff89f40c0aa3f4fc96
- 6a7eb19aa86d7915ef5a1f91ac623245c371544428445c4d8658da7e824f5f08
- 69fa88b7c4d2dd9f2a1989178147f8418dec963a78969fa96977c18076e2a8526.
Jupyter
Jupyter aka SolarMarker, is a highly evasive and adaptive .NET infostealer that is downloaded by leveraging SEO-poisoning to create watering hole sites for the purpose of deceiving unsuspecting users to visit the website and download a malicious document, often a zip or PDF file embedded with a malicious executable. Jupyter primarily targets browser data in browsers such as Chrome, Chromium, and Firefox and has full backdoor functionality.
IPs
- 37.120.233.92
- 89.44.9.108
- 92.204.160.101
- 92.204.160.114
- 146.70.101.97
- 146.70.53.153
- 146.70.40.236
- 193.29.104.89
LingyunNet
LingyunNet is riskware that utilizes the victim’s system resources.
Domains
- ampc.na.lb.holadns.com
- ampc.na.lb.martianinc.co
- zcky.na.lb.holadns.com
- zcky.na.lb.martianinc.co
Mirai
Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
IPs
- 46.249.32.12
- 62.197.136.157
SHA256 Hashes
- 0a38acadeb41536f65ed89f84cc1620fb79c9b916e0d83f2db543e12fbfd0d8c
- 3d9487191dd4e712cbfb8f4dcf916a707f60c3fb23807d4c02fb941e216f951d
- 4f2f4d758d13a9cb2fd4c71e8015ba622b2b4c1c26ceb1114b258d6e3c174010
- 1ddbc3bf9de79d293821f6c8780115860677b696773693d665ff44cdc62a51c3
NanoCore
NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
Domains
- nanoboss.duckdns.org
- justinalwhitedd554.duckdns.org
- shahzad73.casacam.net
- shahzad73.ddns.net
SHA256 Hashes
- c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40
- dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451
- ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136
- 0195b0fbff91bece4665d8189bec104e44cdec85b6c26f60023a92dece8ca713
- 098fe3c8d0407e7438827fb38831dac4af8bd42690f8bd43d4f92fd2b7f33525
- 2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
- 28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055
- 4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545
- 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
- 959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c
- 988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7
QakBot
QakBot is a multifunctional banking trojan that targets financial information, moves laterally across networks, and provides access to other malware, including ransomware. It is spread via malspam that often leverages thread hijacking.
IPs
- 37.252.0.102
- 74.15.2.252
- 76.169.147.192
- 41.228.22.180
- 103.87.95.133
- 103.88.226.30
- 105.226.83.196
- 109.228.220.196
- 143.0.34.185
- 176.205.119.81
- 181.118.183.98
- 187.207.48.194
- 191.17.223.93
- 201.211.64.196
- 31.48.166.122
- 39.44.144.159
- 45.46.53.140
- 45.9.20.200
- 47.180.172.159
- 47.23.89.62
- 47.23.89.62:993
- 72.252.201.34
- 75.113.214.234
- 76.69.155.202
- 83.110.75.97
- 86.97.11.43
- 86.98.208.214
- 86.98.33.141
- 96.29.208.97
- 100.1.108.246
- 103.107.113.120
- 103.139.243.207
- 103.246.242.202
- 109.12.111.14
- 117.248.109.38
- 121.74.167.191
- 140.82.49.12
- 140.82.63.183
- 144.202.2.175
- 172.114.160.81
- 173.21.10.71
- 175.145.235.37
- 187.102.135.142
- 191.99.191.28
- 196.233.79.3
- 203.122.46.130
- 209.197.176.40
- 217.128.122.65
- 42.235.146.7
- 46.107.48.202
- 47.156.191.217
- 5.32.41.45
- 66.98.42.102
- 68.204.7.158
- 71.13.93.154
- 71.74.12.34
- 72.76.94.99
- 75.99.168.194
- 76.25.142.196
- 90.120.65.153
- 93.48.80.198
- 94.59.138.62
- 102.182.232.3
- 108.60.213.141
- 125.168.47.127
- 140.82.63.183
- 144.202.2.175
- 144.202.3.39
- 148.64.96.100
- 149.28.238.199
- 173.174.216.62
- 174.69.215.101
- 176.67.56.94
- 179.158.105.44
- 181.208.248.227
- 182.191.92.203
- 187.251.132.144
- 190.252.242.69
- 190.73.3.148
- 202.134.152.2
- 208.107.221.224
- 24.178.196.158
- 31.35.28.29
- 32.221.224.140
- 37.186.54.254
- 37.34.253.233
- 38.70.253.226
- 40.134.246.185
- 41.230.62.211
- 41.38.167.179
- 45.63.1.12
- 45.76.167.26
- 67.209.195.198
- 70.46.220.114
- 73.151.236.31
- 76.70.9.169
- 78.87.206.213
- 80.11.74.81
- 81.215.196.174
- 82.152.39.39
- 84.241.8.23:32103
- 85.246.82.244
- 91.177.173.10
- 92.132.172.197
- 72.12.115.90
- 101.99.95.146
- 185.82.127.231
- 185.172.129.84
- 185.235.247.119
- 187.250.114.15
SHA256 Hashes
- abc27c69742e00e713ff8229f8a59b285f09d41087db8ad2520ebaa45ecc721a
- f868253b34e11c233326d0f0a74d55ba0191be645569256a8ae5d861afb29420
- 2df3858be48c17a61684fa267a8885634053467c883fe04cd875fb5ebe21ae8c
- Accbe0818487ccaa487f24abe838c1e2f3c3bc263ee941f2ae7c0a682803be79
- D20120cc046cef3c3f0292c6cbc406fcf2a714aa8e048c9188f1184e4bb16c93
- 78db8f8d22bf3f7440b1abe9f121c9fcf009f648b629f9e22c8d8afb1d585da7
- b1e6a7a3e2597e51836277a32b2bc61aa781c8f681d44dfddea618b32e2bf2a6
MD5 Hashes
- b54dbb1431a8fa4edfce5a2373482133
- c01c463e2e821fecaae7ca17bd75f5e2
- e8f99ccb8d4678955c8d34734b956f9a
- ff8044d1a42fdc1ecd980766d7a6ca6d
- 202d6895d1ddd74cedba7da709b471d8
- 43637a386dbdb83a68293fcf46a5ca1d
- 84d2856f8e597b31377d0b94d2dc3f34
RecordBreaker
RecordBreaker is an infostealer that is the successor to Racoon Stealer. RecordBreaker is sold as malware-as-a-service on underground forums, and it steals data such as passwords, cookies, browser data, etc.
IPs
- 206.188.196.200
- 5.252.177.47
- 78.159.103.195
RedLine
RedLine is an infostealer available for purchase on cyber-criminal forums. Campaigns, targets, infection vectors and capabilities vary based on the version purchased. The malware typically targets information that can be easily monetized, such as credentials, cookies, banking information, and cryptocurrency wallet information. Additionally, the malware gathers information about the infected system such as web-browser, FTP clients, instant messengers, VPN services, and gaming clients. Furthermore, RedLine has remote functionality allowing it to download further malicious tools or drop
IPs
- 193.203.203.82
SHA256 Hashes
- 6d4cdcc2b3df89d5e9168a59b6cb286c949421b967425c0d0ddfb0be48a9816e
Shlayer
Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.
All Shlayer domains follow the same pattern <api.random_name.com>. Below area several examples of domains Shlayer uses.
Domains
- api.interfacecache.com
- api.scalableunit.com
- api.typicalconfig.com
- api.standartanalog.com
- api.fieldenumerator.com
- api.practicalsprint.com
- api.searchwebsvc.com
- api.connectedtask.com
- api.navigationbuffer.com
- api.windowtask.com
SHA256 Hashes
- d49ee2850277170d6dc7ef5f218b0697683ffd7cc66bd1a55867c4d4de2ab2fb
- 97ef25ad5ffaf69a74f8678665179b917007c51b5b69d968ffd9edbfdf986ba0
- 05b9383b6af36e6bf232248bf9ff44e9120afcf76e50ac8aa28f09b3307f4186
- 907c31b2da15aa14d06c6e828eef6ca627bd1af88655314548f747e5ed2f5697
- 9ceea14642a1fa4bc5df189311a9e01303e397531a76554b4d975301c0b0e5c8
- ea86178a3c0941fd6c421c69f3bb0043b768f68ed84ecb881ae770d7fb8e24ed
Snugy
Snugy is a PowerShell-based backdoor allowing the attacker to obtain the system’s hostname and to run commands. This backdoor communicates through a DNS tunneling channel on the compromised server.
SHA256 Hashes
6c13084f213416089beec7d49f0ef40fea3d28207047385dda4599517b56e127
SocGholish
SocGholish is a downloader written in JavaScript that is distributed through malicious or compromised websites. It uses fake updates, such as Flash Updates or browser updates. SocGholish has been known to use Cobalt Strike and steal information. Additionally, it has been known to lead to further malware infections, such as Azorult, Dridex, NetSupport RAT, and sometimes ransomware.
Domains
- irsbusinessaudit.net
- irsgetwell.net
- common.dotviolationsremoval.com
- d2j09jsarr75l2.cloudfront.net
- mafia.carverdesigngroup.com
- cruize.updogtechnologies.com
- record.usautosaleslv.com
- hunter.libertylawaz.com
- requests.pleaseactivate.me
- zoom.themyr2bpodcast.com
- accounts.mynewtopboyfriend.store
- restructuring.breatheinnew.life
- activation.thepowerofhiswhisper.com
- sonic.myr2b.me
- baget.godmessaged.me
- predator.foxscalesjewelry.com
- amplifier.myjesusloves.me
- episode.foxscales.com
- active.aasm.pro
- tickets.kairosadvantage.com
- templates.victoryoverdieting.com
- casting.faeryfox.com
- wallpapers.uniquechoice-co1.com
- basket.stylingtomorrow.com
- vacation.thebrightgift1.com
- wallpapers.uniquechoice-co.com
- vacation.thebrightgift.com
- cigars.pawscolours.com
- premium.i5417.com
- rituals.fashionediter.com
- expense.brick-house.net
- loans.mistakenumberone.com
- soendorg.top
- prompt.zonashoppers.academy
- hair.2topost.com
- clean.godmessagedme.com
- secretary.rentamimi.com
- custom.usmuchmedia.com
TeamSpy
TeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims.
IPs
- 185.141.63.172
- 193.242.211.141
Domains
- Aypbwhw.ru
- Bboazuw.com
- Bbvdjuw.com
- Bjwoquv.com
- Brozbsw.com
- Ckrokei.net
- Diczhcx.info
- Dlylbux.info
- Dtnpzec.info
- eggrewv.ua
- egtobdw.ua
- emrdtbx.ua
- endtcww.ua
- eubjdjx.ua
- eugnhuw.ua
- gjdhcdw.com
- gragcdw.com
- hkaauvb.net
- jmqmcdq.info
- khuddqu24603344.ua
- khvrder23620304.ua
- kvbinbw23685840.ua
- kxvfeow23554768.ua
- qivoeeu.ru
- rrlqlzv.com
- uhgybdw.ua
- uuxiqlu.ua
- wzoodor.com
- xknyajr.net
- xsdbflb.net
- ydfhzrx.info
- ydxemre.info
- ylfoopp.info
- ytlqxzq.info
- zbmgsbi.ua
- zetuhne.ua
- zfdboiu.ua
- zftdlxd.ua
- zhoppju.ua
- zouiols.ua
- zoumzgb.ua
- zozlwla.ua
- zueclka.ua
- zwadpme.ua
- zxfbihb.ua
Ursnif
Ursnif, also known as Gozi or Dreambot, is a banking trojan that is spread through malspam with a Microsoft Office document attached or a ZIP file containing an HTA file. Ursnif collects victim information from cookies, login pages, web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software.
Domains
- expl.intorcafli.art
- hop.feen007.at
- iujdhsndjfks.com
- kol.dsasghqwt.com
- turialopatnds.live
- wdeiqeqwns.com
- weiqeqwens.com
- weiqeqwns.com
- weiqewqwns.com
IPs
- 185.240.103.83
- 45.8.158.104
ZeuS
ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may be other malware using parts of the ZeuS code.
IPs
- 62.182.156.187
MD5 Hashes
- 2db9ee63581f0297d8ca118850685602
- 306cbc3c0d2b83e57a68dec63a37f22f
- 416cfb5badf096eef29731ee3bcba7ce
- 5e5e46145409fb4a5c8a004217eef836
- ae6cdc2be9207880528e784fc54501ed
- d93ca01a4515732a6a54df0a391c93e3
