Top 10 Malware September 2022
In September 2022, the Top 10 Malware line-up stayed relatively consistent compared to the previous month. Most malware changed their rankings in the list, and new malware took the last three spots.
This month, Arechclient2, RedLine, and Ursnif returned to the Top 10 malware.
- Arechclient2 is a NET RAT with numerous capabilities, such as profiling victim systems, stealing information, and launching a hidden secondary desktop to control browser sessions.
- RedLine is an infostealer that is available for purchase on cybercriminal forums. The malware typically targets information such as credentials, cookies, banking information, and cryptocurrency wallet information. Furthermore, RedLine has remote functionality that enables it to download malicious tools or drop additional malware.
- Ursnif is a banking trojan that is spread through malspam. Ursnif can obfuscate itself against anti-malware software, and it collects victim information from login pages and web forms.
The Top 10 Malware variants comprise 71% of the total malware activity in September 2022, increasing 24% from August 2022.
Malware Infection Vectors
The Multi-State Information Sharing Analysis Center (MS-ISAC) tracks potential primary infection vectors for our Top 10 Malware each month based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. The MS-ISAC has not had any malware in the Top 10 use the initial infection vector Network in the past year. Some malware employ different vectors in different contexts and are thus tracked as Multiple.
In September 2022, Multiple was the top initial infection vector as SocGholish activity decreased. Activity levels for Malspam and Multiple increased, while activity for Dropped and Malvertisement decreased. It is likely that Multiple will remain the primary infection vector in the coming months as other malware add initial infection methods to increase the span of their campaign unless the current SocGholish campaign increases. The Multiple category can include several vectors, and as such, it tends to increase and decrease at unpredictable rates, making trend analysis challenging. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the oldest, most reliable primary initial infection vectors used by cyber threat actors in both this category and the Multiple category.
Multiple – Malware that currently favors at least two vectors. Currently, Arechclient2, CoinMiner, LingyunNet, RedLine, TeamSpy, and ZeuS are the malware utilizing multiple vectors.
Malspam – Unsolicited emails either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include Agent Tesla, NanoCore, and Ursnif.
Malvertisement – Malware introduced through malicious advertisements. Currently, SocGholish is the only Top 10 Malware using this technique.
Top 10 Malware and IOCsBelow are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants.
Note: The below IOCs are listed for the purpose of threat hunting though may not be inherently malicious. Additionally, the associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.
2. CoinMinerCoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. Additionally, it typically uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, due to multiple variants of this malware, capabilities may vary. CoinMiner spreads through malspam or is dropped by other malware.
3. ZeuSZeuS is a modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
4. NanoCoreNanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
5. Agent TeslaAgent Tesla is a RAT that can exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.
Initial Infection File
First Stage dll module
Final Agent Tesla Payload
6. TeamSpyTeamSpy is spyware that has been known to use a popular remote access tool, TeamViewer, and malware to steal information from victims.
These are domains created by a generation algorithm (DGA).
7. LingyunNetLingyunNet is riskware that utilizes the victim's system resources.
8. UrsnifUrsnif, also known as Gozi or Dreambot, is a banking trojan that is spread through malspam with a Microsoft Office document attached or a ZIP file containing an HTA file. Ursnif collects victim information from cookies, login pages, web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software.
9. Arechclient2Arechclient2, aka SectopRAT, is a NET RAT with numerous capabilities including multiple stealth functions. Arechclient2 can profile victim systems, steal information such as browser and crypto-wallet data, and launch a hidden secondary desktop to control browser sessions. Additionally, it has several anti-VM and anti-emulator capabilities.
10. RedLineRedLine is an infostealer that is available for purchase on cybercriminal forums. Due to its ability to be purchased, there are multiple malware campaigns, infection vectors, targets, and abilities (based on version being used). The malware typically targets information that can be easily monetized such as credentials, cookies, banking information, and cryptocurrency wallet information. Additionally, the malware gathers information about the infected system such as web browser, FTP clients, instant messengers, VPN services, and gaming clients. Furthermore, RedLine has remote functionality that enables it to download further malicious tools or drop additional malware.