Top 10 Malware December 2022
Note: The Top 10 Malware blog is moving from monthly to quarterly in 2023. This shift aims to improve the granularity and quality of the report. All indicators are still available in near real-time via the ISAC’s Indicator Sharing Program.
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
Published January 20, 2023
- NanoCore is a remote access trojan (RAT) spread via malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
- Snugy is a PowerShell-based backdoor that obtains the system’s hostname and runs other commands. The backdoor communicates through a DNS tunneling channel on the compromised server.
- Tinba (aka Tiny Banker) is a banking trojan that's known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms. It is primarily disseminated via exploit kits.
- SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables cyber threat actors (CTAs) to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
The Top 10 Malware variants comprised 54% of the total malware activity in December 2022, staying consistent with the previous month.
Malware Infection Vectors
The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC did not observe any malware in the Top 10 use the initial infection vector Network in the past year. Some malware use different vectors in different contexts and are tracked as Multiple.
In December 2022, Dropped was the top initial infection vector due to SessionManager2 and Gh0st activity. Activity levels for Dropped and Malspam increased, while the activity level for Multiple decreased. It is likely that Dropped will remain the primary infection vector in the coming months if SessionManager2 activity continues. Once SessionManager2 activity decreases, Multiple will become the top initial infection vector as the trend of having more than one initial infection vector continues. Malware authors continue to add additional initial infection methods to increase the span of their campaign and the likelihood of success. The most popular ways of using Multiple initial infection vector is the combination of Malspam and Dropped. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the oldest and most reliable initial infection vectors used by CTAs.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a CTAs. Gh0st and SessionManager2 are the only two malware in the Top 10 that are dropped.
Multiple – Malware that currently favors at least two vectors, such as Malspam and Dropped. Currently, CoinMiner, LingyunNet, Snugy, and ZeuS are the Top 10 Malware utilizing multiple vectors.
Malspam – Unsolicited emails either direct users to malicious websites or trick users into downloading/opening malware. The Top 10 Malware using this technique include Agent Tesla, NanoCore, Tinba, and Ursnif.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.
5. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS). It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
Initial Infection File
Final Agent Tesla Payload
NanoCore is a RAT spread via malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell which provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
LingyunNet is riskware that utilizes the victim’s system resources, which can slow down the computer or cause errors and potentially lead to further infections. Riskware is a program or application that potentially poses a risk due to its ability to exploit and cause damage to a system.
Snugy is a PowerShell-based backdoor that obtains the system’s hostname and runs other commands. This backdoor communicates through a DNS tunneling channel on the compromised server.
Tinba (aka Tiny Banker) is a banking trojan that's known for its small file size. Tinba uses web injections to collect victim information from login pages and web forms and is primarily disseminated via exploit kits.
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure ISAC (EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With a combined x years of experience in all types of industries, the CTI team pushes out Indicators of Compromise through its real-time threat indicator feeds. This information helps SLTTs automate defensive actions, correlate events, conduct analysis, and make better, faster, more impactful decisions. You can learn more about these feeds here.