Heimdal™ Security Threat-Hunting Journal: End of the Year Wrap-up in Malware

Marking the end of 2021, Heimdal™ has enacted the very first entry of the Threat-Hunting journal, a blog section dedicated to the latest cybersecurity threats. The article and its findings reflect the shifts in cybercriminal approaches, techniques, ‘repackaging’, and malware. Below, you will find a summary of the data gathered between the 1^st of November and the 1^st of January by our probes.

Top 20 Malware(s) Detection: November 1^st – January 1^st, 2022

During the above-mentioned interval, Heimdal™ has detected various types of malware (from JavaScript exploits to generic/heuristic APCs), but predominantly trojan activity. Six trojan strains have been identified, totaling 28,662 hits (i.e., positive detections). Broken down by the number of detections, the most prevalent detected ‘malware’ was JS/Redir.G1, a ‘trojanized’ JS redirect script, injected in websites and/or webpages with subpar security (i.e., weak authentication mechanisms). Additional details about malware strains, no. of hits, techniques, and impact can be found in the upcoming section.

Top 20  Malware(s) Detailed

1. JS/Redir.G13

JS/Redir.G13 is the 13^th generation of the JS/Redir strain, a trojan capable of delivering a crafted JS script to a (vulnerable) webpage or website for the purpose of redirecting the user to a malicious page and/or website. Although it appears to have affected Windows-running endpoints, there are no indications regarding JS/Redir.G13’s inability to affect non-Windows endpoints since the malicious script has in-browser functionality.

Being a trojan, JS/Redir.G13’s task is to infiltrate and deploy the script that redirects to a malicious URL or IP. Upon successful deployment, the script will wait for user interaction to commence malicious deflection of traffic requests. Heimdal™ has detected over 250,000 instances of JS/Redir.G13 in the indicated timeframe.

2. ACAD/Bursted.AN

ACAD/Bursted.AN is an AutoCAD-specific virus capable of self-replication and automatic execution. The major (observable) difference between Bursted and similar viruses is that ACAD/Bursted. can only affect AutoCAD files (.lsp) via AutoLISP scripting. MO-wise, Bursted generally self-installs in AutoCAD’s folder, taking the guise of a typical drawing file.

Once the user loads the drawing file in AutoCAD, effectively executing the malicious package, the virus will migrate to the application’s support file, changing its name to mimic the legitimate support .lsp file. By gaining auto-execution capability, Bursted can infect other AutoCAD drawing files.

3. TR/Patched.Ren.Gen4

TR/Patched.Ren.Gen4 is a trojan with high destructive hardware/software capabilities. Moreover, Patched.Ren.Gen4 can download additional payloads or malicious programs by altering system and OS-specific files.

Typical behavior includes Windows registry compromise, overwriting system files for auto-execution on system startup/reboot and obfuscation purposes, and downloading adware or malicious software. Regarding the trojan’s destructive capabilities, it was observed that the malware tends to accelerate resource consumptions’ rate (i.e. RAM, CPU, GPU, etc.), actions that can cause severe damage to the affected system.

4. W32/Chir.B

W32/Chir.B is a virus with worm-like capabilities. It can infect Windows files, render text files unreadable, and spread to other endpoints via network hopping or by sending itself to email addresses stored in Windows’ address book. Chir.B can spread to other systems by tapping into Windows’ email address repositories or by searching and reading files with the following extensions: .adc, r.db,.doc, .xls.

Concerning behavior, Chir.B has potent obfuscation and persistence mechanisms, allowing the malware to circumvent endpoint-based detection and user interaction. The viral worm’s viral component usually tampers with Window Registry, inputting a dword value for a runonce rule. In essence, the malware begins to spread into the system after a successful reboot. All Windows files bearing the above-mentioned extensions are made unreadable by Chir.B which will replace the first 1234 bytes of each found file with gibberish.

Because Chir.B overwrites Windows Registry entries, it will introduce a new rule to prevent users from terminating the malicious process. Basically, when such an attempt is made, the Chir.B-associated process gets rejuvenated (i.e. restarted).

5. TR/Dropper.Gen

TR/Dropper.Gen is a trojan capable of downloading and installing vulnerable security services or software and enforcing changes upon system files. Dropper.Gen’s primary function is to download and replace critical security components with older versions or versions that have been deprecated due to security or non-security flaws. Dropper.Gen may also enact changes that can potentially lead to abnormal machine behavior (i.e., unwarranted reboots, increased resources consumption, etc.).

6. HTML/Infected.WebPage.Gen2

Second generation HTML-based malware, capable of downloading other malware. Infected.WebPage. Gen2 is usually triggered when a user interacts with an infected HTML webpage. Signs include decreased system performance, unauthorized app installations, and sys file reconfiguration.

7. SPR/ANDR.WAMod.IBCY.Gen

Spyware masquerading as a legitimate WhatsApp modding tool. WAMOD, the tool in question, is an, allegedly, under-the-counter software used to personalize WhatsApp (i.e., change themes, modify fonts, create a new UI, etc.). Upon successful infiltration, ANDR.WAMod.IBCY.Gen will begin to harvest data from the infected device transmitting it to the threat actor across a secure communication channel.

8. HEUR/APC

Generic software or component exhibiting either (overtly) malicious behavior or unexpected outputs.

9. ADWARE/Adware.Gen7

Spyware with pre-loaded adware-type software. Once deployed, the user will receive numerous pop-ups, desktop and in-browser ads.

10. HTML/ExpKit.Gen2

Also known as the Brushaloader, ExpKit.Gen2 is a trojan with remote access capabilities. Brushaloader infects hosts through email phishing (i.e., .rar archives or altered Visual Basic Scripts). Upon successful infiltration, Brushaloader would employ a RAT (Remote Access Tool) to gather various types of data (e.g. accountholder name, passwords, generic account credentials, email addresses, etc.) which would later be exfiltrated to threat a actor-held server via a secure channel.

Brushaloader may also bypass regular security mechanisms to deploy additional malware or adware. Furthermore, a compromised host would have been under the threat actor’s complete control, who could perform various actions on target (e.g., access microphone and camera for recording, fingerprinting, etc.).

11. W32/Floxif.hdc

Floxif.hdc is a virus capable of infecting running or latent applications/processes, as well as DLLs. The virus is usually implanted in the host via forged emails or infected storage media (e.g. thumb drives, memory cards, CDs, DVDs, external HDDs, or SSDs). Infection can only occur when the user interacts with the malicious executable. In some instances, Floxif.hdc took the form of an update file. Typical behavior includes DLL injection or side-loading or additional malware installation (i.e., after bypassing security mechanisms).

12. TR/Blackhole.C

Blackhole.C is the trojan component of the Blackhole exploit kit, one of the first MaaS’ (Malware-as-a-Service). The trojan serves various functions – from payload delivery to downloading other malicious packages and, as a MaaS centerpiece, it can be customized according to the ‘client’s’ requirements

13. EXP/CVE-2010-2568.A

Windows Shell exposure leveraged by threat actors for RCE (Remote Code Execution) purposes. The vulnerability has been associated with WinCC Scada systems manufactured by Siemens and is known to affect said system running Win 7, Server 2008 (SP2 + R2), Win Vista (SP1 + SP2), Win XP SP 3, and Win Server 2003 SP2.

14. TR/AD.Macoute.edpwe

AD.Macoute.edpwe is a trojan with worm-like functionality. Typical behavior includes process spawning, Win Registry modification, subpar system performance, denial-of-service, keystroke sniffing, and system files modification.

15. W32/Run.Ramnit.C

Run.Ramnit.C is a trojan-carried virus that requires another malware drop to be executed. The process is two-folded: the trojan drops the infected DLL, while another malware (possibly a trojan) drops the executable that loads the infected DLL.

16. TR/Crypt.XPACK.Gen

Crypt.XPACK.Gen is a trojan with ransomware-type capabilities. The malware’s purpose is to infect the Master Boot Record (MBR) and to hinder the backup/moving process. If successful, XPACK will force-reboot the system and display a pre-boot ransom message.

17. ADWARE/Adware.Gen2

Second generation adware that, on occasion, exhibits virus-type traits. Adware.Gen2 installs popups, toolbars, displays in-browser or desktop apps, and can be bundled with other malware for additional actions on target.

18. VBS/Ramnit.abcd

Malicious Visual Basic script usually appended to a forged RTF or HTML file whose purpose is to drop another malware (possibly a worm or virus).

19. TR/Patched.Ren.Gen

Same infectious mechanism and MO as TR/Patched.Ren.Gen4 (see above).

20. JS/Dropper.G4

Dropper.G4 is a generic dropper with virus-like capabilities. The dropper can infect hosts via email or tainted storage media and alter core functions. In most cases, Dropper.G4 will kill all tasks and jobs associated with an antivirus engine.

How to Keep Your Endpoints Safe

While prevention’s the best cure available, it’s wise to plan ahead. So, in addition to highlighting the 20 most notorious end of the year malware, here’s a short and sweet list of my favorite cybersecurity advice.

1. Continuous patching. Apply security and non-security patches as soon as they become available. Patching is the only way to root out vulnerabilities and exposures that may be used for backdooring.
2. Update AV engine. Ensure that your antivirus solution is up to date. AV’s the best cure for file-based malware.
3. Access Governance. Privileged Access Management solutions can help you curb malware spreading, keep them out from sensitive system areas.
4. Email attachments. Don’t open email attachments received from people outside your network. The same goes for links.
5. Cybersecurity awareness. Conduct regular cybersecurity drills to coach your employees. Focus on emergent malware, infiltration techniques, and update them, if necessary, on change to company policies related to cybersecurity breaches, infections, etc.

Conclusion

To say that the “threatscape has changed” would be a contradiction in terms – it’s always on the move and it’s up to us to keep the pace. As always, stay safe, don’t click on odd-looking links, subscribe, comment, and hit me with your best questions.

HEIMDAL CYBER THREAT REPORT 2023

CyberSecurity & Threat Intelligence Report

A review of the 2022 cyber-threat landscape and our predictions for 2023.

Download Report

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.