Top 10 Malware November 2022
- SocGholish has been known to use Cobalt Strike and steal information. Additionally, it can lead to further malware infections, such as Azorult, Dridex, NetSupport RAT, and sometimes ransomware.
- LingyunNet is riskware that utilizes the victim's system resources.
- Amadey is a botnet sold on criminal forums, and it has multiple capabilities. While it is primarily an information stealer, it can also download additional malware.
The Top 10 Malware variants comprised 54% of the total malware activity in November 2022, decreasing 16% from October 2022.
Malware Infection Vectors
The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC did not observe any malware in the Top 10 use the initial infection vector Network in the past year. Some malware use different vectors in different contexts and are tracked as Multiple.
In November 2022, Multiple was the top initial infection vector. Activity levels for all initial infection vectors decreased except for Malvertisement, which increased due to SocGholish activity. It is likely that Multiple will remain the primary infection vector in the coming months as the trend of having more than one initial infection vector continues. Malware authors continue to add initial infection methods to increase the span of their campaign and the likelihood of success. The most popular ways of using Multiple initial infection vector is the combination of Malspam and Dropped. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the oldest and most reliable initial infection vectors used by cyber threat actors (CTAs).
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a CTA. Gh0st and SessionManager2 are the only two malware in the Top 10 that are dropped.
Multiple – Malware that currently favors at least two vectors, such as Malspam and Dropped. Currently, Amadey, Arechclient2, CoinMiner, LingyunNet, and ZeuS are the Top 10 Malware utilizing multiple vectors.
Malspam – Unsolicited emails either direct users to malicious websites or trick users into downloading or opening malware. The Top 10 Malware using this technique include Agent Tesla and Ursnif.
Malvertisement – Malware introduced through malicious advertisements. Currently, SocGholish is the only Top 10 Malware using this technique.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.
SessionManager2 is a malicious IIS module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to infrastructure of a targeted entity.
3. Agent Telsa
Agent Tesla is a remote access trojan (RAT) that targets Windows operating systems. It is available for purchase on criminal forums as Malware as a Service (MaaS). It has various capabilities depending on the version purchased, including the ability to capture keystrokes and screenshots, harvest saved credentials from web browsers, copy clipboard data, exfiltrate victim files, and load other malware onto the host.
Initial Infection File
First Stage dll module
Final Agent Tesla Payload
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that is spread through malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. A CTA then has the ability to execute system commands via command line, allowing them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as "ZeuS" may actually be other malware using parts of the original ZeuS code.
Arechclient2, aka SectopRAT, is a NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and cryptocurrency wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.
Amadey is a botnet sold on criminal forums that has multiple capabilities. The botnet’s primarily used to steal information from targets and download additional malware, such as FlawedAmmyy RAT and LockBit 3.0 ransomware.
LingyunNet is riskware that utilizes the victim’s system resources, which can slow down the computer or cause errors and potentially lead to further infections. Riskware is a program/application that potentially poses a risk due to its ability to exploit and cause damage to a system.
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure ISAC (EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With a combined x years of experience in all types of industries, the CTI team pushes out Indicators of Compromise through its real-time threat indicator feeds. This information helps SLTTs automate defensive actions, correlate events, conduct analysis, and make better, faster, more impactful decisions. You can learn more about these feeds here.