Heimdal™ Threat Hunting Journal: January E.O.M Edition

Heimdal™ Security’s threat hunting journal continues to bring you the latest in threat detection and malware prevalence. Just in case you’ve missed it, last month’s uncrowned malware king was the trojan with over 28,000 positive detections, spread across six strains. Be sure to check out last month’s threat hunting edition for more info about your favourite malware strain and/or variant. Without further ado, here are the ‘goodies’ which came across our way in January.

Top Malware(s) Detection: 1^st of January – 31^st of January

As expected, king trojans still clutches to its ‘well-earned’ title – 10 strains, totaling a whopping 13,751 positive detections. Last month’s probing saw an increase in malware exploiting Java-side vulnerabilities (257,465 hits for JS/Redir.G13). Interestingly enough, the infamous JS/Redir.G13 has yet to bob up this month, instead of warming the seat for TR/Patched.Ren.Gen4, is a trojan notorious for its infectious and destructive capabilities.

Compared to the previous months (see the previous edition), the number of positive detections associated with Patched.Ren.Gen4 has gone down (19,181 during November – January 1^st probing vs. 11,111 during January 1^st – January 31^st probing), but it did manage to claw its way up to the top of our hitlist. As far as distribution is concerned, we have a couple of new contenders (e.g. PUA/InstallCore.Gen – 443 positive detections, EXP/PyShellCode.A – 174 positive detections, WORM/Conficker.AK – 149 positive detections, etc.) as well as several old ‘acquaintances’ (e.g. TR/Dropper.Gen – 284 positive detections, W32/Floxif.hdc – 452 positive detections, and ACAD/Bursted.AN with 741 positive hits).

For the purpose – or sake! – of concision, we’ll only be covering the newly-detection malware. The complete list of IDed threats can be found below. Enjoy!

Top Malware(s) Detailed

1. EXP/CVE-2006-3649

A buffer overflow defect present in apps, OS, and Microsoft products running obsolete VBS SDK versions allows the attacker to run arbitrary code on the victim’s machine.

2. TR/Dropper.MSIL.Gen

A software for cryptocurrency management (i.e. wallet) with trojan-like capabilities. Its purpose is to silently install a backdoor on the victim’s machine – usually the Backdoor.Fynloski.C. This backdoor’s purpose is to turn off UAC notifications and invalidate the EnableLUA function under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\ System.

3. PUA/InstallCore.Gen

A PUA-class (i.e., Potentially Unwanted Application) malware whose purpose is to write itself in the Windows Temp file and silently connect to malicious websites to download malware binaries and other files.

4. TR/AutoIt.CI.14

A trojan affecting Windows-running endpoints, capable of rewriting svchost.exe and all registries associated with Shell, DisableRegistryTools, AtTaaskMaxHour, and Msn Messenger.

5. SPR/KeyFind.A

PUP (Potentially Unwanted Program) is used to potentially install backdoors, connect to malicious URLs to download additional malicious components or perform spyware-type functions.

6. W32/Ramnit.C

A W32/Runmni.C variant. Please see the previous article for additional information on this trojan.

7. TR/Downloader.Gen

A trojan download or similar. The threat may have self-installation capabilities (ie., downloads silently in the background and waits for a reboot to establish connection to Command & Control server).

8. TR/AD.Macoute.bbi

Similar to AD.Macoute.edpwe – a trojanized worm capable of eavesdropping, process spawning, and Win registry modification.

9. ADWARE/JsPopunder.G

An adware-type threat that leverages specially crafted JavaScript packages that display additional pop-ups under legitimate ads.

10. EXP/PyShellCode.A

A shellcode-type threat that allows the threat actor to execute malicious code on the victim’s machine. It can also be used to install backdoors, spyware, or unpack ransomware components.

11. WORM/Conficker.AK

Conficker worm variant. Uses network sharing, Windows AutoPlay, and unpatched vulnerabilities to propagate. The Conficker worm is preponderantly used by threat actors for DoS, data leaking, and ops disruption.

12. W32/Virut.Gen

A polymorphic virus from the Virut family. Its capabilities include advanced obfuscation (EPO), memory lodging, and file infection for persistence and self-replication purposes.

13. W32/Renamer.A

A virus with worm-like capabilities. Renamer.A’s forte is renaming legitimate Windows files, hiding them in other folders, and taking the place of said legitimate files.

14. X97M/Agent.7450476

Also known as Mailcab. A, X97M is a macro virus designed to infect and spread through .xls documents. It also displays worm-like features – by taping into Outlook’s database, it can send itself to other email addresses.

15. TR/Patched.Gen

A variant of TR/Patched.Ren.Gen. Please see the previous article for additional information.

16. DR/FakePic.Gen

Dropper-type malware designed to unpack malware or components onto the victim’s machine.

17. ADWARE/BrowseFox.Gen4

The fourth generation of the BrowseFox adware, a PUP designed to display potentially malicious ads and popups on the victim’s machine.

18. TR/Patched.Ren.Gen7

A trojan from the Patched.Ren. family capable of auto-execution on reboot, system disruption, and/or destruction. It can also ramp up resource consumption, alter system files, download adware/spyware or install backdoors.

Additional Cybersecurity Advice & Parting Thoughts

This about wraps it up with our threat hunting journal. As I’ve said in the intro, this month was a smorgasbord of malware – some old, some new, one more dangerous than the next. Before we conclude, Heimdal would like to share with you some cybersecurity tips on how to keep your assets and endpoints safe from malware. Enjoy and don’t forget to subscribe!

1. Disable macros. Newer versions of Microsoft Excel or Word have macros disabled by default. However, if you’re running an older version, please ensure that the auto-run macro feature is disabled. To do that, click on File, select Option, and then Trust Center. Look for the Macros Setting tab under Trust Center Settings and click on “Disable all Macros”.
2. Keep tabs on resource consumption. It would be a good idea to always keep an eye on your machine’s resource consumption rate. Using Task Manager’s performance gauge is okay, but there are far better tools out there – Rainmeter, FreeMeter, Process Explorer, TinyResMeter. Give them a try.
3. Update your AV. Don’t dismiss those AV update prompts as soon as they hit your screen. They could very well be a difference between a squeaky-clean PC and a non-responsive brick. Deploy those updates as soon as they become available. Don’t forget that AV should do more than wipe viruses. Heimdal’s Next-Gen Endpoint Antivirus can detect and break brute-force attempts, lock your USB ports, remote wipe/lock your machine, and terminate any type of malicious encryption attempt when used together with Ransomware Encryption Protection.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.