Top 10 Malware October 2020

In October 2020, the MS-ISAC observed two malware (Bolek and NanoCore) return to the Top 10, as well as two new variants (DirectsX and Glupteba) enter the Top 10. The Top 10 Malware variants composed 78% of Total Malware activity in October 2020, down from 87% in September 2020. This decrease is largely due to the recent Shlayer campaign slowing down. Shlayer is highly likely to continue its prevalence in the Top 10 Malware for the coming months.

October_2020_Malware_Notifications

October_2020_Top_10_Malware

In October 2020, malvertisement accounted for the greatest number of alerts. Malvertisement continues to increase and stay as the top initial infection vector due to Shlayer. Shlayer returned to the Top 10 Malware after new evidence resulted in its reclassification as a Trojan Downloader compared to an Adware Dropper. Activity levels for all vectors, except dropped and malvertisement, increased. Although Shlayer activity has decreased by more than half, it’s likely that malvertisement will remain the primary infection vector as the Shlayer campaign pans out.

October_2020_Initial_infection_Vectors

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently Gh0st is the only malware being dropped.

Multiple – Malware that currently favors at least two vectors. CryptoWall and ZeuS are the only malware currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique includes Agent Tesla, Blaknight, Bolek, DirectsX, Glupteba, and NanoCore.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective Indicators of Compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants.

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern . Below are a few of the hundreds of domains used by Shlayer.

Domains

  • api.interfacecache[.]com
  • api.scalableunit[.]com
  • api.typicalconfig[.]com
  • api.standartanalog[.]com
  • api.fieldenumerator[.]com
  • api.practicalsprint[.]com
  • api.searchwebsvc[.]com
  • api.connectedtask[.]com
  • api.navigationbuffer[.]com
  • api.windowtask[.]com

2. Agent Tesla

Agent Tesla is a RAT that exfiltrates credentials, log keystrokes, and captures screenshots from an infected computer.

3. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

4. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

Domains

  • Opaopa[.]info

IPs

  • 8.208.90[.]18

5. DirectsX 

DirectsX is a rootkit executed in kernel mode to perform its malicious activities. DirectsX can execute code, download additional malware, and steal data from the infected machine.

6. Nanocore

Nanocore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

7. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

8. Glupteba

Glupteba is a modular backdoor trojan that acts as a proxy server and acquires data and commands from a remote computer on the internet. It has a number of modules, including a rootkit, an antivirus checker/disabler, a spreader, router attacker, browser stealer, and cryptojacker. Additionally, it can make an infected host a part of a botnet.

9. Glupteba

Glupteba , also known as HawkEye, is an Infostealer known for its keylogging capabilities for credential and banking theft. The below IOCs are associated with Blaknight as well as other malware for reconnaissance purposes; however, they can also be used legitimately.

Domains

  • Bot[.]whatismyipaddress[.]com

IPs

  • 66.171.248[.]178

10. Bolek

Bolek, aka Kbot, is a banking trojan known for its ability to quickly propagate throughout a network, such as via USB and network shares. Bolek has multiple modules that are used to steal banking and personal information, credentials, and to exfiltrate files from systems.