By: The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center
Published April 27, 2023
In Q1 2023, the quarterly Top 10 Malware remained consistent with the previous quarter, with the majority of malware switching spots. SessionManager2 took the number one spot in Q1, comprising 55% of the Top 10 Malware incidents that the MS-ISAC detected. Additionally, Agent Tesla, CoinMiner, Gh0st, NanoCore, and SessionManager2 activity increased, while Ursnif and ZeuS activity decreased. Furthermore, we saw Laplas, Netshta, and ViperSoftX make their first appearance in the quarterly Top 10 Malware.
- Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
- Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
- ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it’s distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
- SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables cyber threat actors (CTAs) to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
In Q1, malware increased 20% compared to Q4 2022, while the Top 10 Malware increased 79%. The Top 10 Malware variants comprised 67% of the total malware activity in Q1 2023, increasing 10% compared to the previous quarter.
Malware Infection Vectors
The MS-ISAC tracks potential initial infection vectors for our Top 10 Malware each quarter based on open-source reporting, as depicted in the graph below. We currently track four initial infection vectors: Dropped, Malvertisement, Malspam, and Network. Some malware use different vectors in different contexts and are tracked as Multiple.
In Q1 2023, the top initial infection vector was Dropped due to an increase in SessionManager2 activity. Activity levels for Dropped and Malspam increased, while activity levels for Multiple decreased. Although Dropped is the top initial infection vector, it is likely that Multiple will replace Dropped as the top initial infection vector in Q2 2023 as other malware add initial infection methods to increase the span of their campaigns and the likelihood of success. Dropped may remain the primary infection vector in the coming months so long as SessionManager2 continues its campaign and holds its place at the top of the quarterly Top 10 malware. The most popular combination for the Multiple initial infection vector is Malspam and Dropped. This category will likely continue to comprise a significant portion of the initial infection vectors as malware becomes more sophisticated and employs multiple methods to infect systems. Malspam consistently represents a portion of the Top 10 Malware, as it is one of the most reliable primary initial infection vectors.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st and SessionManager2 are the only Top 10 malware currently using this technique.
Malspam – Unsolicited emails, which either direct users to malicious websites or trick users into downloading or opening malware. Agent Tesla, NanoCore, and Ursnif are currently using this technique.
Multiple – Malware that currently favors at least two vectors, such as Dropped or Malspam. Currently, CoinMiner, Laplas, Neshta, ViperSoftX, and ZeuS are malware utilizing multiple vectors.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these malware variants.The below IOCs can be used for threat hunting but may not be inherently malicious for blocking purposes.
1. SessionManager2
SessionManager2 is a malicious Internet Information Services (IIS) module or backdoor that enables CTAs to maintain persistent, update-resistant, and relatively stealthy access to a victim’s infrastructure.
MD5 Hashes
5FFC31841EB3B77F41F0ACE61BECD8FD84B20E95D52F38BB4F6C998719660C354EE3FB2ABA3B82171E6409E253BDDDB52410D0D7C20597D9B65F237F9C4CE6C9
2. CoinMiner
CoinMiner is a cryptocurrency miner family that typically uses Windows Management Instrumentation (WMI) to spread across a network. Additionally, it often uses the WMI Standard Event Consumer scripting to execute scripts for persistence. However, the malware’s capabilities may vary since there are multiple variants. CoinMiner spreads through Malspam or is dropped by other malware.
MD5 Hashes
90db8de2457032f78c81c440e25bc753
IPs
199[.]247[.]27[.]41
3. Agent Tesla
Agent Tesla is a RAT that targets Windows operating systems. It is available for purchase on criminal forums as Malware-as-a-Service (MaaS) offerings. It has various capabilities depending on the version purchased, including capturing keystrokes and screenshots, harvesting saved credentials from web browsers, copying clipboard data, exfiltrating victim files, and loading other malware onto the host.
Domains
Mail[.]euroinkchemical[.]romail[.]nobilenergysolar[.]com
SHA256 Hashes
Initial Infection File7f7323ef90321761d5d058a3da7f2fb622823993a221a8653a170fe8735f6a45
XLL Droppersfbc94ba5952a58e9dfa6b74fc59c21d830ed4e021d47559040926b8b96a937d07a6f8590d4be989faccb34cd393e713fd80fa17e92d7613f33061d647d0e6d12
Final Agent Tesla Payload12a978875dc90e03cbb76d024222abfdc8296ed675fca2e17ca6447ce7bf00805d555eddfc23183dd821432fd2a4a04a543c8c1907b636440eb6e7d21829576c
4. NanoCore
NanoCore is a RAT spread via Malspam with an attachment, such as a malicious Excel XLS spreadsheet. NanoCore accepts commands to download and execute files, visit websites, and add registry keys for persistence.
Domains
nanoboss[.]duckdns[.]orgjustinalwhitedd554[.]duckdns[.]orgshahzad73[.]casacam[.]netshahzad73[.]ddns[.]netpower22[.]myftp[.]org
SHA256 Hashes
c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df1367257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7
5. Gh0st
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor that enables an attacker to fully control the infected device.
MD5 Hashes
77bd9926a4b41c14259e20c1f90e22aa
6. ZeuS
ZeuS is a modular banking trojan that uses keystroke logging to compromise credentials when a victim visits certain banking websites. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that incidents classified as ZeuS may actually be other malware using parts of the original ZeuS code.
Domains
cylt01cloudsim01[.]safebreach[.]net
MD5 Hashes
2db9ee63581f0297d8ca118850685602416cfb5badf096eef29731ee3bcba7ceae6cdc2be9207880528e784fc54501ed8ad4fb848a323b62036ea463fcf58993
7. Ursnif
Ursnif, also known as Gozi or Dreambot, is a banking trojan and downloader that spreads through Malspam emails with Microsoft Office document attachments or ZIP files containing an HTA file. Ursnif collects victim information from cookies, login pages, and web forms. Additionally, Ursnif’s web injection attacks include TLS callbacks in order to obfuscate against anti-malware software. Furthermore, Ursnif’s newest variant has a built-in command shell that provides a reverse shell for connection to remote IP addresses. This allows a CTA to execute system commands via command line, enabling them to perform further reconnaissance as well as more effective lateral movement. Lastly, Ursnif has the ability to drop additional malware, such as ransomware.
Domains
Gameindikdowd[.]ruIujdhsndjfks[.]ruJhgfdlkjhaoiu[.]sureggy506[.]rurenewbleenergey[.]ruuelcoskdi[.]ru
IPs
185[.]189[.]151[.]38185[.]189[.]151[.]61194[.]58[.]102[.]187194[.]76[.]224[.]95194[.]76[.]227[.]15931[.]214[.]157[.]3145[.]11[.]182[.]3079[.]132[.]128[.]22891[.]241[.]93[.]11194[.]198[.]54[.]97
8. Laplas
Laplas is a clipper malware that spreads via other malware. Currently, the downloader SmokeLoader is spreading Laplas via phishing emails that contain malicious documents.
Domains
Clipper[.]guru
IPs
185[.]223[.]93[.]251188[.]34[.]207[.]13745[.]159[.]189[.]10579[.]137[.]199[.]252
9. ViperSoftX
ViperSoftX is a multi-stage cryptocurrency stealer that spreads within torrents and filesharing sites. Typically, it’s distributed as a malicious crack for popular software. The malware has siphoned off hundreds of thousands of dollars in cryptocurrency from its victims
Domains
apzgt[.]comapzlkg[.]comargxztbe[.]comarrowlchat[.]comarykd[.]comawoeru[.]combmyfz[.]combyzvp[.]combzepuq[.]comcdlxgun[.]comchatgigi2[.]comcikuwqhrg[.]comcoeuzxk[.]comcraje[.]comdtoabvxl[.]comdxwoi[.]comeafxp[.]comefsidlop[.]comelipjo[.]comeoishgc[.]comeovykq[.]comfbtcidr[.]comficrolun[.]comfitbh[.]comfjvezin[.]comfvzgab[.]comfyuncsv[.]comgcvhixt[.]comhjizca[.]comhmtsiqcf[.]comhuict[.]comiqsxetmug[.]comiqwcrpyn[.]comironz[.]comiudobjg[.]comiwaqzhtxj[.]comjesucwp[.]comjfgqwxt[.]comjfumw[.]comjmzqrhdi[.]comjuobngtm[.]comjvxbn[.]comjwxvktr[.]comjxkfr[.]comkqidl[.]comkzvure[.]comlchtne[.]comleqxyw[.]comljusxki[.]comlmfho[.]comlpohvzyd[.]comlurpk[.]commpcnliydb[.]commsjwl[.]comnjtgwcha[.]comnlkxzgm[.]comnmvprzdhf[.]comnqzpcudae[.]comocluhxgpy[.]comofxdyqc[.]comohkfzawnj[.]comondxgiz[.]compfxqh[.]compstyx[.]compzguloqb[.]comqogrzu[.]comrcbxmzu[.]comrimfugvz[.]comrjcfoabns[.]comsegin[.]comsgtuxbhz[.]comsitdrjouq[.]comsuclfpbnw[.]comtlnikcyqd[.]comtvrcuohz[.]comtzsxbynvr[.]comugxqj[.]comumnfw[.]comuwfmz[.]comvewga[.]comvqjumd[.]comwopsyqi[.]comxcakdisve[.]comxsdmcy[.]comxvfnhw[.]comyjghwcxel[.]comysawrbi[.]comzcdkjqwgn[.]comzeiyusv[.]comzjyhc[.]comzqiwma[.]comzrhcnxva[.]com
10. Neshta
Netshta is a file infector and information stealer that targets executable files, network shares, and removable storage devices. Once the system is infected, it collects system information and exfiltarates data via its C2. Neshta spreads by phishing emails, removeable media, and other malware.
SHA256 Hashes
29fd307edb4cfa4400a586d38116a90ce91233a3fc277de1cab7890e681c409a980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2539452719c057f59238e123c80a0a10a0b577c4d8af7a5447903955e6cf7aa3da4d0865565180988c3d9dbf5ce35b7c17bac6458ef234cfed82b4664116851f246200c11811058e6d1173a2279213d0b7ccde611590e427b3b28c0f684192d00c965f9503353ecd6971466d32c1ad2083a5475ce64aadc0b99ac13e2d2c31b75
About the Author: The Cyber Threat Intelligence (CTI) team at the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC) functions as the premier CTI source for all U.S. State, Local, Tribal, and Territorial (SLTT) entities and election offices. With decades of combined experience in all types of industries, the CTI team pushes out curated SLTT-centric threat intelligence reporting as well as malicious indicators via near real-time threat feeds. This information helps SLTTs anticipate and proactively defend against emerging cyber threats and shifts in adversarial tactics, techniques, and procedures. Additional information: team tradecraft and indicator feeds.
Post Disclaimer
The information provided in our posts or blogs are for educational and informative purposes only. We do not guarantee the accuracy, completeness or suitability of the information. We do not provide financial or investment advice. Readers should always seek professional advice before making any financial or investment decisions based on the information provided in our content. We will not be held responsible for any losses, damages or consequences that may arise from relying on the information provided in our content.