Top 10 Malware November 2022

In November 2022, the Top 10 Malware list remained consistent with October’s Top 10 Malware except for three malware additions. Specifically, LingyunNet and SocGholish returned to the Top 10 Malware this month, while Amadey made its first appearance.

• SocGholish is a downloader written in JavaScript that relies on malicious or compromised websites for distribution. It uses fake updates such as Flash Updates or browser updates.
• SocGholish has been known to use Cobalt Strike and steal information. Additionally, it can lead to further malware infections, such as Azorult, Dridex, NetSupport RAT, and sometimes ransomware.
• LingyunNet is riskware that utilizes the victim's system resources.
• Amadey is a botnet sold on criminal forums, and it has multiple capabilities. While it is primarily an information stealer, it can also download additional malware.

The Top 10 Malware variants comprised 54% of the total malware activity in November 2022, decreasing 16% from October 2022.

 

Malware Infection Vectors

The MS-ISAC tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC did not observe any malware in the Top 10 use the initial infection vector Network in the past year. Some malware use different vectors in different contexts and are tracked as Multiple.

In November 2022, Multiple was the top initial infection vector. Activity levels for all initial infection vectors decreased except for Malvertisement, which increased due to SocGholish activity. It is likely that Multiple will remain the primary infection vector in the coming months as the trend of having more than one initial infection vector continues. Malware authors continue to add initial infection methods to increase the span of their campaign and the likelihood of success. The most popular ways of using Multiple initial infection vector is the combination of Malspam and Dropped. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the oldest and most reliable initial infection vectors used by cyber threat actors (CTAs).

 

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a CTA. Gh0st and SessionManager2 are the only two malware in the Top 10 that are dropped.

Multiple – Malware that currently favors at least two vectors, such as Malspam and Dropped. Currently, Amadey, Arechclient2, CoinMiner, LingyunNet, and ZeuS are the Top 10 Malware utilizing multiple vectors.

Malspam – Unsolicited emails either direct users to malicious websites or trick users into downloading or opening malware. The Top 10 Malware using this technique include Agent Tesla and Ursnif.

Malvertisement – Malware introduced through malicious advertisements. Currently, SocGholish is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.

1. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through malspam or is dropped by other malware.

MD5 Hashes

90db8de2457032f78c81c440e25bc753
d985ca16ee4e04ce765e966f1c68348f
f2184f47be242eda117037600760c3d7
4fd9592b8bf4db6569607243997cb365

2. SessionManager2

SessionManager2 is a malicious IIS module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to infrastructure of a targeted entity.

MD5 Hashes

5FFC31841EB3B77F41F0ACE61BECD8FD
84B20E95D52F38BB4F6C998719660C35
4EE3FB2ABA3B82171E6409E253BDDDB5
2410D0D7C20597D9B65F237F9C4CE6C9

3. Agent Telsa

Agent Tesla is a remote access trojan (RAT) that targets Windows operating systems. It is available for purchase on criminal forums as Malware as a Service (MaaS). It has various capabilities depending on the version purchased, including the ability to capture keystrokes and screenshots, harvest saved credentials from web browsers, copy clipboard data, exfiltrate victim files, and load other malware onto the host.

Domains

mail[.]euroinkchemical[.]ro
mail[.]nobilenergysolar[.]com

SHA256 Hashes

Initial Infection File
7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45

First Stage dll module
c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

XLL Droppers
fbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d0
7a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12

Final Agent Tesla Payload
ab5444f001b8f9e06ebf12bc8fdc200ee5f4185ee52666d69f7d996317ea38f3
f3ebbcbcaa7a173a3b7d90f035885d759f94803fef8f98484a33f5ecc431beb6
12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf0080
3a4fc42fdb5a73034c00e4d709dad5641ca8ec64c0684fa5ce5138551dd3f47a
5d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
9d713d2254e529286ed3ac471e134169d2c7279b0eaf82eb9923cd46954d5d27

4. Ursnif

Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that is spread through malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. A CTA then has the ability to execute system commands via command line, allowing them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.

Domains

Ijduwhsbvk[.]com
Iujdhsndjfks[.]com
Iujdhsndjfks[.]ru
Jhgfdlkjhaoiu[.]su
Siwdmfkshsgw[.]com
Wdeiqeqwns[.]com
Weiqeqwens[.]com
Weiqeqwns[.]com
Weiqewqwns[.]com

IPs

185[.]240[.]103[.]83
185[.]158[.]249[.]54
188[.]127[.]224[.]114
37[.]140[.]197[.]44
45[.]8[.]158[.]104

5. ZeuS

ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as "ZeuS" may actually be other malware using parts of the original ZeuS code.

MD5 Hashes

2db9ee63581f0297d8ca118850685602
306cbc3c0d2b83e57a68dec63a37f22f
416cfb5badf096eef29731ee3bcba7ce
5e5e46145409fb4a5c8a004217eef836
ae6cdc2be9207880528e784fc54501ed
d93ca01a4515732a6a54df0a391c93e3

6. Arechclient2

Arechclient2, aka SectopRAT, is a NET RAT with numerous capabilities including multiple defense evasion functions. Arechclient2 can profile victim systems, steal information such as browser and cryptocurrency wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.

MD5 Hashes

30912073152a47e66b9d9c053cd56077
4ccba79d95dfd7d87b43643058e1cdd0
9eb50c6cdb59d11b01ca9f069e8ba79d
fb4635e8ad7716789e76d759373ab95a

7. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.

MD5 Hashes

9af77f89a565143983fa008bbd8eedee
a2469f4913f1607e4207ba0a8768491c
a88e0e5a2c8fd31161b5e4a31e1307a0

8. Amadey

Amadey is a botnet sold on criminal forums that has multiple capabilities. The botnet’s primarily used to steal information from targets and download additional malware, such as FlawedAmmyy RAT and LockBit 3.0 ransomware.

Domains

Hellomr[.]observer
Pleasetake[.]pictures
Researchersgokick[.]rocks
Unepeureyore[.]xyz

IPs

77[.]73[.]133[.]72
77[.]73[.]134[.]66
79[.]137[.]197[.]181

9. LingyunNet

LingyunNet is riskware that utilizes the victim’s system resources, which can slow down the computer or cause errors and potentially lead to further infections. Riskware is a program/application that potentially poses a risk due to its ability to exploit and cause damage to a system.

Domains

ampc[.]na[.]lb[.]holadns[.]com
ampc[.]na[.]lb[.]martianinc[.]co
Na[.]lb[.]willmam[.]com
zcky[.]na[.]lb[.]holadns[.]com
zcky[.]na[.]lb[.]martianinc[.]co
10[.]17ce[.]holadns[.]com
10[.]17ce[.]martianinc[.]co

10. SocGholish

SocGholish is a downloader written in JavaScript and is distributed through malicious or compromised websites. It uses fake updates, such as Flash Updates or browser updates, to trick users into downloading the malware. SocGholish is known to use Cobalt Strike and steal information. Additionally, SocGholish can lead to further malware infections, such as Azorult, Dridex, NetSupport RAT, and sometimes ransomware.

Domains

irsbusinessaudit[.]net
irsgetwell[.]net
common[.]dotviolationsremoval[.]com
d2j09jsarr75l2[.]cloudfront[.]net
mafia[.]carverdesigngroup[.]com
cruize[.]updogtechnologies[.]com
record[.]usautosaleslv[.]com
hunter[.]libertylawaz[.]com
requests[.]pleaseactivate[.]me
zoom[.]themyr2bpodcast[.]com
accounts[.]mynewtopboyfriend[.]store
restructuring[.]breatheinnew[.]life
activation[.]thepowerofhiswhisper[.]com
sonic[.]myr2b[.]me
baget[.]godmessaged[.]me
predator[.]foxscalesjewelry[.]com
amplifier[.]myjesusloves[.]me
episode[.]foxscales[.]com
active[.]aasm[.]pro
tickets[.]kairosadvantage[.]com
templates[.]victoryoverdieting[.]com
casting[.]faeryfox[.]com
wallpapers[.]uniquechoice-co1[.]com
basket[.]stylingtomorrow[.]com
vacation[.]thebrightgift1[.]com
wallpapers[.]uniquechoice-co[.]com
vacation[.]thebrightgift[.]com
cigars[.]pawscolours[.]com
premium[.]i5417[.]com
rituals[.]fashionediter[.]com
expense[.]brick-house[.]net
loans[.]mistakenumberone[.]com
soendorg[.]top
prompt[.]zonashoppers[.]academy
hair[.]2topost[.]com
clean[.]godmessagedme[.]com
secretary[.]rentamimi[.]com
custom[.]usmuchmedia[.]com

About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure ISAC (EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With a combined x years of experience in all types of industries, the CTI team pushes out Indicators of Compromise through its real-time threat indicator feeds. This information helps SLTTs automate defensive actions, correlate events, conduct analysis, and make better, faster, more impactful decisions. You can learn more about these feeds here.