September 2020 Top 10 Malware

In September 2020, we had 3 malware return to the Top 10: CoinMiner, CryptoWall, and Emotet. The Top 10 Malware variants composed 87% of Total Malware activity in September 2020, up from 78% in August 2020. This increase is largely due to the recent Shlayer campaign ramping up, as the education year begins for universities and K-12 schools. Due to the new education year, Shlayer is highly-likely to continue its prevalence in the Top 10 Malware for the coming months. Additionally, this month the MS-SIAC saw an increased number of Emotet alerts, as it reemerged from dormancy to continue malspam campaigns resulting in secondary Qakbot and TrickBot infections.

September-2020-MS-ISAC-Malware-Notifications

 

September-2020-top-10-malware

In September 2020, malvertisement accounted for the greatest number of alerts. Malvertisement continues to increase and stay as the top initial infection vector is due to Shlayer. Shlayer returned to the Top 10 Malware after new evidence resulted in it being reclassified as a Trojan Downloader compared to an Adware Dropper. Activity levels for all vectors, except malspam and network, increased. It is likely that malvertisement will remain the primary infection vector as the Shlayer campaign pans out.

september-2020-top-10-malware-infection-vectors

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently Gh0st is the only malware being dropped.

Multiple – Malware that currently favors at least two vectors. CoinMiner, CryptoWall, and ZeuS are the only malware currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement. 

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique Agent Tesla, Blaknight, Dridex, and Emotet. 

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer and SocGholish are the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective Indicators of Compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants.

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern <api.random_name.com>. Below area few of the hundreds of domains used by Shlayer.

Domains

    • api.interfacecache[.]com
    • api.scalableunit[.]com
    • api.typicalconfig[.]com
    • api.standartanalog[.]com
    • api.fieldenumerator[.]com
    • api.practicalsprint[.]com
    • api.searchwebsvc[.]com
    • api.connectedtask[.]com
    • api.navigationbuffer[.]com
    • api.windowtask[.]com

2. SocGholish

SocGholish is a RAT and a banking trojan that uses fake Flash Updates to drop a NetSupport RAT payload. Recently, SocGholish has been used to drop WastedLocker ransomware, a new ransomware variant.

3. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

4. Agent Tesla

Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

5. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

6. Emotet

Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network.

Domains

  • 3ilogics[.]net
  • Carewanderlust[.]com
  • da-industrial[.]com
  • providedigital[.]com
  • ravi-tools[.]com
  • techiweek[.]com
  • transfersuvan[.]com
  • Executables
  • Etlxn1aff.exe
  • PortableDeviceSyncProvider.exe
  • Qigikm9u0.exe
  • spwinsat.exe
  • Xbuqklfzo.exe

SHA256 Hashes

  • 4e0b4745791983c83562f9aa62c2d5a9d1391ae981f62850457c8c7e5db42066
  • 5e2a6d3d08d6b7be5e18f9b6911b8a70e157812d3c0f09ce3f0cfda4ee24c350
  • a51ee6986ed41f896ee928522394eac24607d51da72580a2d219f3f871a1a2fd
  • ba7e60586692ed460080e69c570e773b06711c68e699f1f49da5bab11780db24
  • cb9fa076c152b43bf6144934c0db90d82803057013a15d526acbec0b6144e979
  • eba3ace46b88aad94a3879c3cb6cf843194ff99b8b32a9c934831f2e48de58aa
  • f7e32e69771b534468c971f63be5630bdbd4ec5feed1e0f91ce534dc51788790

IPs

  • 51.255.40[.]241
  • 85.214.28[.]226
  • 190.53.144[.]120
  • 198.57.203[.]63
  • 201.213.177[.]139
  • 45.230.228[.]26
  • 197.232.36[.]108
  • 181.137.229[.]1
  • 179.5.118[.]12
  • 190.96.15[.]50
  • 195.251.213[.]56
  • 172.91.208[.]86
  • 134.209.36[.]254
  • 181.169.34[.]190
  • 82.80.155[.]43
  • 220.245.198[.]194
  • 162.144.42[.]60
  • 188.219.31[.]12
  • 62.30.7[.]67
  • 162.241.242[.]173
  • 167.99.105[.]11
  • 71.72.196[.]159
  • 50.91.114[.]38
  • 104.156.59[.]7
  • 24.43.32[.]186
  • 38.111.46[.]46

7. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

Domains

  • Opaopa[.]info

IPs

  • 8.208.90[.]18

8. Blaknight

Blaknight, also known as HawkEye, is an Infostealer known for its keylogging capabilities for credential and banking theft.

Domains

  • Bot[.]whatismyipaddress[.]com

IPs

  • 66.171.248[.]178

9. CoinMiner

CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

SHA256 Hashes

  • a9e785de50216ab7987be7403d1bfcf4d7661ebcfdb8c27eb1525c919398ff7d

10. CoinMiner

Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.

Domains

  • Oneyearnovel[.]com

IPs

  • 167.99.20[.]6
  • 134.209.138[.]1
  • 167.172.120[.]137
  • 104.131.85[.]182
  • 159.89.253[.]159