Top 10 Malware Q2 2023
By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
Published August 14, 2023
In Q2 2023, the malware on the Top 10 list remained consistent with the previous quarter, with most strains simply switching spots. CoinMiner took the number one spot in Q2, comprising 24% of Top 10 Malware incidents detected by the MS-ISAC during that time. NanoCore, ZeuS, and ViperSoftX activity increased, while Agent Tesla and Gh0st activity decreased. Additionally, although Laplas is in the same spot at eighth place, its activity increased by 2%.
Lastly, the MS-ISAC observed Ratenjay, DarkVision, and Amadey make their first appearance on the quarterly Top 10 Malware list.
- Ratenjay is a Remote Access Trojan (RAT) dropped by other malware or downloaded as a file onto a victim’s system. It executes commands remotely and includes keylogging capabilities.
- DarkVision is a remote access toolkit sold on the dark web. It is written in C++ and targets native Windows clients. Once installed on a victim’s computer, DarkVision creates a backdoor for persistence and enables a cyber threat actor (CTA) to remotely control the system. This toolkit comes with modular plugins that are similar to add-ons. Some examples of DarkVision's add-on capabilities include keylogging, screen/microphone/webcam captures, password recovery, and reverse proxy. DarkVision is dropped by malware such as SmokeLoader.
- Amadey is a multi-functional botnet sold on criminal forums. The botnet primarily steals information from targets and downloads additional malware, such as FlawedAmmyy RAT and LockBit 3.0 ransomware.
In Q2, malware decreased by 40% compared to Q1 2023, and the Top 10 Malware decreased 65%. Furthermore, the Top 10 Malware variants comprised 39% of the total malware activity in Q2 2023, decreasing 28% compared to the previous quarter.
Malware Infection Vectors
The MS-ISAC tracks potential initial infection vectors for our Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. CTAs delivering malware malware also use different vectors in different contexts, and those instances are tracked as Multiple.
The CIS Community Defense Model (CDM) v2.0 can help you defend against 77% of MITRE ATT&CK (sub-)techniques associated with malware – regardless of the infection vector they use. Learn more in the video below.
In Q2 2023, the top initial infection vector changed from Dropped to Multiple due to a decrease in SessionManager2 activity, which largely drove the spike in Q1 2023 Dropped numbers. Activity levels for all three categories (Dropped, Malspam, and Multiple) decreased. The most popular combination for the Multiple initial infection vector was Malspam and Dropped. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems.Malspam consistently represents a portion of the Top 10 Malware, as it is one of the most reliable primary initial infection vectors.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. DarkVision, Gh0st, and Ratenjay are the only Top 10 Malware currently using this technique.
Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla and NanoCore are currently using this technique.
Multiple – Malware that currently uses at least two vectors, such as Dropped or Malspam. Currently, Amadey, CoinMiner, Laplas, ZeuS, and ViperSoftX are malware utilizing multiple vectors.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants. The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through Malspam or is dropped by other malware.
NanoCore is a RAT spread via Malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
ZeuS is a modular banking Trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.
ViperSoftX is a multi-stage cryptocurrency stealer spread within torrents and filesharing sites, typically as a malicious crack for popular software.
5. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as malware-as-a-service. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
Ratenjay is a Remote Access Trojan (RAT) dropped by other malware or downloaded as a file onto a victim’s system. It executes commands remotely and includes keylogging capabilities.
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that allows an attacker to fully control the infected device.
Laplas is a clipper malware spread by other malware. Currently, Laplas is spread by SmokeLoader, which is delivered via phishing emails containing malicious documents.
DarkVision is a remote access toolkit sold on the dark web. It is written in C++ and targets native Windows clients. Once installed on a victim’s computer, it creates a backdoor for persistence and enables a CTA to remotely control the system. This toolkit comes with modular plugins that are similar to add-ons. Some examples of DarkVision's add-on capabilities include keylogging, screen/microphone/webcam captures, password recovery, and reverse proxy. DarkVision is dropped by malware such as SmokeLoader.
Amadey is a multi-functional botnet sold on criminal forums. The botnet primarily steals information from targets and downloads additional malware, such as FlawedAmmyy RAT and LockBit 3.0 ransomware.
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.