Most Prevailed Malware Families a Review -Year 2023
Posted inYear 2023

Most Prevailed Malware Families a Review -Year 2023

No Comments

Malware describes any malicious program created to wreak havoc or mischief on a computer system. Thanks to the constant push-and-pull between security professionals and cybercriminals, it’s also an ever-evolving ecosystem. Shifts in the malware environment change every year, although long-term trends are identifiable in year-over-year data reports.

Despite numerous anti-malware measures, cybercriminals and hackers don’t give up quickly, especially not as long as there’s money to be made in malware. Some traditionally-popular forms of malware appear to be losing traction in 2023 as cybercriminals change their tactics to attack new or underutilized vulnerabilities.

Here is the summary of most prevailed malware families in 2023

Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS). It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Amadey

Amadey is a multi-functional botnet sold on criminal forums. The botnet primarily steals information from targets and downloads additional malware, such as FlawedAmmyy RAT and LockBit 3.0 ransomware.

Arechclient2

Arechclient2, aka SectopRAT, is a NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and cryptocurrency wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.

Advertisements

CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary, as there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

DarkVision

DarkVision is a remote access toolkit sold on the dark web. It is written in C++ and targets native Windows clients. Once installed on a victim’s computer, it creates a backdoor for persistence and enables a CTA to remotely control the system. This toolkit comes with modular plugins that are like add-ons. Some examples of DarkVision’s add-on capabilities include keylogging, screen/microphone/webcam captures, password recovery, and reverse proxy. DarkVision is dropped by malware such as SmokeLoader.

Emotet

Emotet is a highly sophisticated and destructive Trojan used to download and install other malware. First recorded in 2014, it was classified as a banking trojan, but Emotet has gained advanced capabilities throughout its lifetime and evolved into an entire malware distribution service.

Emotet can act like a worm and spread using local networks, which makes it extremely hard to clean up. In addition to this, the trojan has advanced persistence and anti-evasion mechanics, such as detecting sandboxes and virtual machines with an option to generate false indicators to throw research off. On top of that, the trojan has a polymorphic design – meaning that it can change its code to bypass signature-based detection, making this cyber defense strategy useless against its’ attacks.

Advertisements

Fake Browser

Fake Browser is a downloader written in JavaScript that is distributed through malicious or compromised websites using fake browser updates. Fake Browser is known to lead to additional infections, such as of the NetSupport Remote Access Tool.

Gh0st

Gh0st is a RAT used to control infected endpoints. It is dropped by other malware to create a backdoor for the attacker.

Laplas

Laplas is a clipper malware spread by other malware. Currently, Laplas is spread by SmokeLoader, which is delivered via phishing emails containing malicious documents.

NanoCore

NanoCore is a RAT spread via malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and create a RunOnce key in the victim’s registry for persistence.

Advertisements

Neshta

Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltrates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.

njRAT

njRAT, also called Bladabindi and Njw0rm is a remote access trojan that is used to remotely control infected machines. Because of its availability, excess of online tutorials, plenty of information, and a robust core feature set along with several implemented evading techniques made njRAT one of the most widely used RATs in the world.

This malware was detected for the first time in 2013, however, some related RATs have been observed by researchers in 2012. The highest surge of njRAT trojan attacks was recorded in 2014 in the middle east, which is the most targeted region for this malware.

QakBot

QakBot is a multifunctional banking trojan that targets financial information, moves laterally across networks, and provides access to other malware, including ransomware. It is spread via malspam that often leverages thread hijacking.

Advertisements

Ratenjay

Ratenjay is a RAT that is dropped by other malware or as a file download onto a victim’s system. It then executes commands remotely. It has keylogging capabilities.

RogueRaticate

RogueRaticate is a downloader written in JavaScript that is distributed through malicious or compromised websites using fake browser updates. The payload for RogueRaticate is an HTML application file that is zipped or downloaded as a shortcut file. RogueRaticate infections are known to lead to further exploitation, such as CTAs downloading legitimate tools like the NetSupport Remote Access Tool.

RedLine Stealer

RedLine Stealer or RedLine is malware that can collect users’ confidential information and deliver other malicious programs. The availability and flexibility of the stealer cause economic loss, data leakage, targeting both enterprise and personal devices. Healthcare and manufacturing sectors suffer the most from these attacks.

The malware appeared in March 2020 according to the Proofpoint investigation. Since then, redline has just gained steam. It was on the rise during the COVID-19 pandemic and is still active. On July 1st, 2021, the malware was found on the legit-looking website that provides privacy tools. However, based on the payload analysis, only malware can be found there.

Remcos

Remcos is a remote access trojan – a malware used to take remote control over infected PCs. This malicious software has been operational since 2016 when it first became available for sale in the underground hacker communities on the dark web.

Remcos RAT has been receiving substantial updates throughout its lifetime. In fact, this malware is being maintained extremely actively, with new releases coming out every month. In April 2019, the malware was available for purchase for as little as just over 60 dollars up to over 400 dollars depending on the selected package.

Advertisements

SocGholish

SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites. It uses fake software updates, such as browser updates or Flash updates, to trick users into downloading the malware. The malware uses multiple methods for traffic redirection and payload delivery, and it is known to use Cobalt Strike and steal information from the victim’s system. Additionally, SocGholish infections can lead to other CTA exploitation, such as downloading the NetSupport Remote Access Tool, the Async Remote Access Tool, and ransomware in some cases.

Ursnif

Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through Malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms.

Additionally, Ursnif’s web injection attacks include TLS callbacks to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif could drop additional malware, such as ransomware.

ViperSoftX

ViperSoftX is a multi-stage cryptocurrency stealer. It is typically distributed as a malicious crack for popular software within torrents and filesharing sites.

ZeuS

ZeuS is a modular banking Trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may be other malware using parts of the original ZeuS code.

This brings end of this security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on FacebookTwitterInstagram

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.