CYBERSECURITY PADAWAN

Marking the end of 2021, Heimdal™ has enacted the very first entry of the Threat-Hunting journal, a blog section dedicated to the latest cybersecurity threats. The article and its findings reflect the shifts in cybercriminal approaches, techniques, ‘repackaging’, and malware. Below, you will find a summary of the data gathered between the 1st of November and the 1st of January by our probes.

Top 20 Malware(s) Detection: November 1st – January 1st, 2022

Malware designation Number of hits (detections)
JS/Redir.G13 257465
ACAD/Bursted.AN 23412
TR/Patched.Ren.Gen4 19181
W32/Chir.B 8563
TR/Dropper.Gen 6171
HTML/Infected.WebPage.Gen2 5170
SPR/ANDR.WAMod.IBCY.Gen 3603
HEUR/APC 1824
ADWARE/Adware.Gen7 1669
HTML/ExpKit.Gen2 1366
W32/Floxif.hdc 1330
TR/Blackhole.C 1105
EXP/CVE-2010-2568.A 956
TR/AD.Macoute.edpwe 895
W32/Run.Ramnit.C 812
TR/Crypt.XPACK.Gen 755
ADWARE/Adware.Gen2 587
VBS/Ramnit.abcd 556
TR/Patched.Ren.Gen 555
JS/Dropper.G4 545

 

During the above-mentioned interval, Heimdal™ has detected various types of malware (from JavaScript exploits to generic/heuristic APCs), but predominantly trojan activity. Six trojan strains have been identified, totaling 28,662 hits (i.e., positive detections). Broken down by the number of detections, the most prevalent detected ‘malware’ was JS/Redir.G1, a ‘trojanized’ JS redirect script, injected in websites and/or webpages with subpar security (i.e., weak authentication mechanisms). Additional details about malware strains, no. of hits, techniques, and impact can be found in the upcoming section.

Top 20  Malware(s) Detailed

1. JS/Redir.G13

JS/Redir.G13 is the 13th generation of the JS/Redir strain, a trojan capable of delivering a crafted JS script to a (vulnerable) webpage or website for the purpose of redirecting the user to a malicious page and/or website. Although it appears to have affected Windows-running endpoints, there are no indications regarding JS/Redir.G13’s inability to affect non-Windows endpoints since the malicious script has in-browser functionality.

Being a trojan, JS/Redir.G13’s task is to infiltrate and deploy the script that redirects to a malicious URL or IP. Upon successful deployment, the script will wait for user interaction to commence malicious deflection of traffic requests. Heimdal™ has detected over 250,000 instances of JS/Redir.G13 in the indicated timeframe.

2. ACAD/Bursted.AN

ACAD/Bursted.AN is an AutoCAD-specific virus capable of self-replication and automatic execution. The major (observable) difference between Bursted and similar viruses is that ACAD/Bursted. can only affect AutoCAD files (.lsp) via AutoLISP scripting. MO-wise, Bursted generally self-installs in AutoCAD’s folder, taking the guise of a typical drawing file.

Once the user loads the drawing file in AutoCAD, effectively executing the malicious package, the virus will migrate to the application’s support file, changing its name to mimic the legitimate support .lsp file. By gaining auto-execution capability, Bursted can infect other AutoCAD drawing files.

3. TR/Patched.Ren.Gen4

TR/Patched.Ren.Gen4 is a trojan with high destructive hardware/software capabilities. Moreover, Patched.Ren.Gen4 can download additional payloads or malicious programs by altering system and OS-specific files.

Typical behavior includes Windows registry compromise, overwriting system files for auto-execution on system startup/reboot and obfuscation purposes, and downloading adware or malicious software. Regarding the trojan’s destructive capabilities, it was observed that the malware tends to accelerate resource consumptions’ rate (i.e. RAM, CPU, GPU, etc.), actions that can cause severe damage to the affected system.

4. W32/Chir.B

W32/Chir.B is a virus with worm-like capabilities. It can infect Windows files, render text files unreadable, and spread to other endpoints via network hopping or by sending itself to email addresses stored in Windows’ address book. Chir.B can spread to other systems by tapping into Windows’ email address repositories or by searching and reading files with the following extensions: .adc, r.db,.doc, .xls.

Concerning behavior, Chir.B has potent obfuscation and persistence mechanisms, allowing the malware to circumvent endpoint-based detection and user interaction. The viral worm’s viral component usually tampers with Window Registry, inputting a dword value for a runonce rule. In essence, the malware begins to spread into the system after a successful reboot. All Windows files bearing the above-mentioned extensions are made unreadable by Chir.B which will replace the first 1234 bytes of each found file with gibberish.

Because Chir.B overwrites Windows Registry entries, it will introduce a new rule to prevent users from terminating the malicious process. Basically, when such an attempt is made, the Chir.B-associated process gets rejuvenated (i.e. restarted).

5. TR/Dropper.Gen

TR/Dropper.Gen is a trojan capable of downloading and installing vulnerable security services or software and enforcing changes upon system files. Dropper.Gen’s primary function is to download and replace critical security components with older versions or versions that have been deprecated due to security or non-security flaws. Dropper.Gen may also enact changes that can potentially lead to abnormal machine behavior (i.e., unwarranted reboots, increased resources consumption, etc.).

6. HTML/Infected.WebPage.Gen2

Second generation HTML-based malware, capable of downloading other malware. Infected.WebPage. Gen2 is usually triggered when a user interacts with an infected HTML webpage. Signs include decreased system performance, unauthorized app installations, and sys file reconfiguration.

7. SPR/ANDR.WAMod.IBCY.Gen

Spyware masquerading as a legitimate WhatsApp modding tool. WAMOD, the tool in question, is an, allegedly, under-the-counter software used to personalize WhatsApp (i.e., change themes, modify fonts, create a new UI, etc.). Upon successful infiltration, ANDR.WAMod.IBCY.Gen will begin to harvest data from the infected device transmitting it to the threat actor across a secure communication channel.

8. HEUR/APC

Generic software or component exhibiting either (overtly) malicious behavior or unexpected outputs.

9. ADWARE/Adware.Gen7

Spyware with pre-loaded adware-type software. Once deployed, the user will receive numerous pop-ups, desktop and in-browser ads.

10. HTML/ExpKit.Gen2

Also known as the Brushaloader, ExpKit.Gen2 is a trojan with remote access capabilities. Brushaloader infects hosts through email phishing (i.e., .rar archives or altered Visual Basic Scripts). Upon successful infiltration, Brushaloader would employ a RAT (Remote Access Tool) to gather various types of data (e.g. accountholder name, passwords, generic account credentials, email addresses, etc.) which would later be exfiltrated to threat a actor-held server via a secure channel.

Brushaloader may also bypass regular security mechanisms to deploy additional malware or adware. Furthermore, a compromised host would have been under the threat actor’s complete control, who could perform various actions on target (e.g., access microphone and camera for recording, fingerprinting, etc.).

11. W32/Floxif.hdc

Floxif.hdc is a virus capable of infecting running or latent applications/processes, as well as DLLs. The virus is usually implanted in the host via forged emails or infected storage media (e.g. thumb drives, memory cards, CDs, DVDs, external HDDs, or SSDs). Infection can only occur when the user interacts with the malicious executable. In some instances, Floxif.hdc took the form of an update file. Typical behavior includes DLL injection or side-loading or additional malware installation (i.e., after bypassing security mechanisms).

12. TR/Blackhole.C

Blackhole.C is the trojan component of the Blackhole exploit kit, one of the first MaaS’ (Malware-as-a-Service). The trojan serves various functions – from payload delivery to downloading other malicious packages and, as a MaaS centerpiece, it can be customized according to the ‘client’s’ requirements

13. EXP/CVE-2010-2568.A

Windows Shell exposure leveraged by threat actors for RCE (Remote Code Execution) purposes. The vulnerability has been associated with WinCC Scada systems manufactured by Siemens and is known to affect said system running Win 7, Server 2008 (SP2 + R2), Win Vista (SP1 + SP2), Win XP SP 3, and Win Server 2003 SP2.

14. TR/AD.Macoute.edpwe

AD.Macoute.edpwe is a trojan with worm-like functionality. Typical behavior includes process spawning, Win Registry modification, subpar system performance, denial-of-service, keystroke sniffing, and system files modification.

15. W32/Run.Ramnit.C

Run.Ramnit.C is a trojan-carried virus that requires another malware drop to be executed. The process is two-folded: the trojan drops the infected DLL, while another malware (possibly a trojan) drops the executable that loads the infected DLL.

16. TR/Crypt.XPACK.Gen

Crypt.XPACK.Gen is a trojan with ransomware-type capabilities. The malware’s purpose is to infect the Master Boot Record (MBR) and to hinder the backup/moving process. If successful, XPACK will force-reboot the system and display a pre-boot ransom message.

17. ADWARE/Adware.Gen2

Second generation adware that, on occasion, exhibits virus-type traits. Adware.Gen2 installs popups, toolbars, displays in-browser or desktop apps, and can be bundled with other malware for additional actions on target.

18. VBS/Ramnit.abcd

Malicious Visual Basic script usually appended to a forged RTF or HTML file whose purpose is to drop another malware (possibly a worm or virus).

19. TR/Patched.Ren.Gen

Same infectious mechanism and MO as TR/Patched.Ren.Gen4 (see above).

20. JS/Dropper.G4

Dropper.G4 is a generic dropper with virus-like capabilities. The dropper can infect hosts via email or tainted storage media and alter core functions. In most cases, Dropper.G4 will kill all tasks and jobs associated with an antivirus engine.

How to Keep Your Endpoints Safe

While prevention’s the best cure available, it’s wise to plan ahead. So, in addition to highlighting the 20 most notorious end of the year malware, here’s a short and sweet list of my favorite cybersecurity advice.

  1. Continuous patching. Apply security and non-security patches as soon as they become available. Patching is the only way to root out vulnerabilities and exposures that may be used for backdooring.
  2. Update AV engine. Ensure that your antivirus solution is up to date. AV’s the best cure for file-based malware.
  3. Access Governance. Privileged Access Management solutions can help you curb malware spreading, keep them out from sensitive system areas.
  4. Email attachments. Don’t open email attachments received from people outside your network. The same goes for links.
  5. Cybersecurity awareness. Conduct regular cybersecurity drills to coach your employees. Focus on emergent malware, infiltration techniques, and update them, if necessary, on change to company policies related to cybersecurity breaches, infections, etc.

Conclusion

To say that the “threatscape has changed” would be a contradiction in terms – it’s always on the move and it’s up to us to keep the pace. As always, stay safe, don’t click on odd-looking links, subscribe, comment, and hit me with your best questions.

Heimdal Official Logo
CyberSecurity & Threat Intelligence Report
A review of the cybersecurity landscape that will shed some light on what happened in 2021 and what 2022 might bring.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Heimdal CyberSecurity & Threat Intelligence Report 2021

Top 7 Cybersecurity Trends for 2022

Advanced Persistent Threat (APT): What It Is and How to Protect against It

APT Groups Are Targeting Fortinet FortiOS Servers, FBI and CISA Warn

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP