Top 10 Malware Q1 2023
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
Published April 27, 2023
In Q1 2023, the quarterly Top 10 Malware remained consistent with the previous quarter, with the majority of malware switching spots. SessionManager2 took the number one spot in Q1, comprising 55% of the Top 10 Malware incidents that the MS-ISAC detected. Additionally, Agent Tesla, CoinMiner, Gh0st, NanoCore, and SessionManager2 activity increased, while Ursnif and ZeuS activity decreased. Furthermore, we saw Laplas, Netshta, and ViperSoftX make their first appearance in the quarterly Top 10 Malware.
- Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
- Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
- ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it's distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
- SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables cyber threat actors (CTAs) to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
In Q1, malware increased 20% compared to Q4 2022, while the Top 10 Malware increased 79%. The Top 10 Malware variants comprised 67% of the total malware activity in Q1 2023, increasing 10% compared to the previous quarter.
Malware Infection Vectors
The MS-ISAC tracks potential initial infection vectors for our Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.
In Q1 2023, the top initial infection vector was Dropped due to an increase in SessionManager2 activity. Activity levels for Dropped and Malspam increased, while activity levels for Multiple decreased. Although Dropped is the top initial infection vector, it is likely that Multiple will replace Dropped as the top initial infection vector in Q2 2023 as other malware add initial infection methods to increase the span of their campaigns and the likelihood of success. Dropped may remain the primary infection vector in the coming months so long as SessionManager2 continues its campaign and holds its place at the top of the quarterly Top 10 malware. The most popular combination for the Multiple initial infection vector is Malspam and Dropped. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the most reliable primary initial infection vectors.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st and SessionManager2 are the only Top 10 malware currently using this technique.
Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla, NanoCore, and Ursnif are currently using this technique.
Multiple – Malware that currently favors at least two vectors, such as Dropped or Malspam. Currently, CoinMiner, Laplas, Neshta, ViperSoftX, and ZeuS are malware utilizing multiple vectors.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through Malspam or is dropped by other malware.
3. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
Initial Infection File
Final Agent Tesla Payload
NanoCore is a RAT spread via Malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that enables an attacker to fully control the infected device.
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through Malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it's distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.