By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center

Published April 27, 2023

In Q1 2023, the quarterly Top 10 Malware remained consistent with the previous quarter, with the majority of malware switching spots. SessionManager2 took the number one spot in Q1, comprising 55% of the Top 10 Malware incidents that the MS-ISAC detected. Additionally, Agent Tesla, CoinMiner, Gh0st, NanoCore, and SessionManager2 activity increased, while Ursnif and ZeuS activity decreased. Furthermore, we saw Laplas, Netshta, and ViperSoftX make their first appearance in the quarterly Top 10 Malware.

• Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
• Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
• ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it’s distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
• SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables cyber threat actors (CTAs) to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.

In Q1, malware increased 20% compared to Q4 2022, while the Top 10 Malware increased 79%. The Top 10 Malware variants comprised 67% of the total malware activity in Q1 2023, increasing 10% compared to the previous quarter.

Malware Infection Vectors

The MS-ISAC tracks potential initial infection vectors for our Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.

In Q1 2023, the top initial infection vector was Dropped due to an increase in SessionManager2 activity. Activity levels for Dropped and Malspam increased, while activity levels for Multiple decreased. Although Dropped is the top initial infection vector, it is likely that Multiple will replace Dropped as the top initial infection vector in Q2 2023 as other malware add initial infection methods to increase the span of their campaigns and the likelihood of success. Dropped may remain the primary infection vector in the coming months so long as SessionManager2 continues its campaign and holds its place at the top of the quarterly Top 10 malware. The most popular combination for the Multiple initial infection vector is Malspam and Dropped. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the most reliable primary initial infection vectors.

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st and SessionManager2 are the only Top 10 malware currently using this technique.

Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla, NanoCore, and Ursnif are currently using this technique.

Multiple – Malware that currently favors at least two vectors, such as Dropped or Malspam. Currently, CoinMiner, Laplas, Neshta, ViperSoftX, and ZeuS are malware utilizing multiple vectors.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants.The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.

1. SessionManager2

SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.

MD5 Hashes

5FFC31841EB3B77F41F0ACE61BECD8FD84B20E95D52F38BB4F6C998719660C354EE3FB2ABA3B82171E6409E253BDDDB52410D0D7C20597D9B65F237F9C4CE6C9

2. CoinMiner

CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through Malspam or is dropped by other malware.

MD5 Hashes

90db8de2457032f78c81c440e25bc753

IPs

199[.]247[.]27[.]41

3. Agent Tesla

Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.

Domains

Mail[.]euroinkchemical[.]romail[.]nobilenergysolar[.]com

SHA256 Hashes

Initial Infection File7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45

XLL Droppersfbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d07a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12

Final Agent Tesla Payload12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf00805d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c

4. NanoCore

NanoCore is a RAT spread via Malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.

Domains

nanoboss[.]duckdns[.]orgjustinalwhitedd554[.]duckdns[.]orgshahzad73[.]casacam[.]netshahzad73[.]ddns[.]netpower22[.]myftp[.]org

SHA256 Hashes

c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df1367257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

5. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that enables an attacker to fully control the infected device.

MD5 Hashes

77bd9926a4b41c14259e20c1f90e22aa

6. ZeuS

ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.

Domains

cylt01cloudsim01[.]safebreach[.]net

MD5 Hashes

2db9ee63581f0297d8ca118850685602416cfb5badf096eef29731ee3bcba7ceae6cdc2be9207880528e784fc54501ed8ad4fb848a323b62036ea463fcf58993

7. Ursnif

Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through Malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.

Domains

Gameindikdowd[.]ruIujdhsndjfks[.]ruJhgfdlkjhaoiu[.]sureggy506[.]rurenewbleenergey[.]ruuelcoskdi[.]ru

IPs

185[.]189[.]151[.]38185[.]189[.]151[.]61194[.]58[.]102[.]187194[.]76[.]224[.]95194[.]76[.]227[.]15931[.]214[.]157[.]3145[.]11[.]182[.]3079[.]132[.]128[.]22891[.]241[.]93[.]11194[.]198[.]54[.]97

8. Laplas

Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.

Domains

Clipper[.]guru

IPs

185[.]223[.]93[.]251188[.]34[.]207[.]13745[.]159[.]189[.]10579[.]137[.]199[.]252

9. ViperSoftX

ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it’s distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims

Domains

apzgt[.]comapzlkg[.]comargxztbe[.]comarrowlchat[.]comarykd[.]comawoeru[.]combmyfz[.]combyzvp[.]combzepuq[.]comcdlxgun[.]comchatgigi2[.]comcikuwqhrg[.]comcoeuzxk[.]comcraje[.]comdtoabvxl[.]comdxwoi[.]comeafxp[.]comefsidlop[.]comelipjo[.]comeoishgc[.]comeovykq[.]comfbtcidr[.]comficrolun[.]comfitbh[.]comfjvezin[.]comfvzgab[.]comfyuncsv[.]comgcvhixt[.]comhjizca[.]comhmtsiqcf[.]comhuict[.]comiqsxetmug[.]comiqwcrpyn[.]comironz[.]comiudobjg[.]comiwaqzhtxj[.]comjesucwp[.]comjfgqwxt[.]comjfumw[.]comjmzqrhdi[.]comjuobngtm[.]comjvxbn[.]comjwxvktr[.]comjxkfr[.]comkqidl[.]comkzvure[.]comlchtne[.]comleqxyw[.]comljusxki[.]comlmfho[.]comlpohvzyd[.]comlurpk[.]commpcnliydb[.]commsjwl[.]comnjtgwcha[.]comnlkxzgm[.]comnmvprzdhf[.]comnqzpcudae[.]comocluhxgpy[.]comofxdyqc[.]comohkfzawnj[.]comondxgiz[.]compfxqh[.]compstyx[.]compzguloqb[.]comqogrzu[.]comrcbxmzu[.]comrimfugvz[.]comrjcfoabns[.]comsegin[.]comsgtuxbhz[.]comsitdrjouq[.]comsuclfpbnw[.]comtlnikcyqd[.]comtvrcuohz[.]comtzsxbynvr[.]comugxqj[.]comumnfw[.]comuwfmz[.]comvewga[.]comvqjumd[.]comwopsyqi[.]comxcakdisve[.]comxsdmcy[.]comxvfnhw[.]comyjghwcxel[.]comysawrbi[.]comzcdkjqwgn[.]comzeiyusv[.]comzjyhc[.]comzqiwma[.]comzrhcnxva[.]com

10. Neshta

Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.

SHA256 Hashes

29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2539452719c057f59238e123c80a0a10a0b577c4d8af7a5447903955e6cf7aa3da4d0865565180988c3d9dbf5ce35b7c17bac6458ef234cfed82b4664116851f246200c11811058e6d1173a2279213d0b7ccde611590e427b3b28c0f684192d00c965f9503353ecd6971466d32c1ad2083a5475ce64aadc0b99ac13e2d2c31b75

About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.