Heimdal™ Security Threat-Hunting Journal: End of the Year Wrap-up in Malware
Top 20 Malware(s) Detection: November 1st – January 1st, 2022
Marking the end of 2021, Heimdal™ has enacted the very first entry of the Threat-Hunting journal, a blog section dedicated to the latest cybersecurity threats. The article and its findings reflect the shifts in cybercriminal approaches, techniques, ‘repackaging’, and malware. Below, you will find a summary of the data gathered between the 1st of November and the 1st of January by our probes.
Top 20 Malware(s) Detection: November 1st – January 1st, 2022
|Malware designation||Number of hits (detections)|
Top 20 Malware(s) Detailed
JS/Redir.G13 is the 13th generation of the JS/Redir strain, a trojan capable of delivering a crafted JS script to a (vulnerable) webpage or website for the purpose of redirecting the user to a malicious page and/or website. Although it appears to have affected Windows-running endpoints, there are no indications regarding JS/Redir.G13’s inability to affect non-Windows endpoints since the malicious script has in-browser functionality.
Being a trojan, JS/Redir.G13’s task is to infiltrate and deploy the script that redirects to a malicious URL or IP. Upon successful deployment, the script will wait for user interaction to commence malicious deflection of traffic requests. Heimdal™ has detected over 250,000 instances of JS/Redir.G13 in the indicated timeframe.
ACAD/Bursted.AN is an AutoCAD-specific virus capable of self-replication and automatic execution. The major (observable) difference between Bursted and similar viruses is that ACAD/Bursted. can only affect AutoCAD files (.lsp) via AutoLISP scripting. MO-wise, Bursted generally self-installs in AutoCAD’s folder, taking the guise of a typical drawing file.
Once the user loads the drawing file in AutoCAD, effectively executing the malicious package, the virus will migrate to the application’s support file, changing its name to mimic the legitimate support .lsp file. By gaining auto-execution capability, Bursted can infect other AutoCAD drawing files.
TR/Patched.Ren.Gen4 is a trojan with high destructive hardware/software capabilities. Moreover, Patched.Ren.Gen4 can download additional payloads or malicious programs by altering system and OS-specific files.
Typical behavior includes Windows registry compromise, overwriting system files for auto-execution on system startup/reboot and obfuscation purposes, and downloading adware or malicious software. Regarding the trojan’s destructive capabilities, it was observed that the malware tends to accelerate resource consumptions’ rate (i.e. RAM, CPU, GPU, etc.), actions that can cause severe damage to the affected system.
W32/Chir.B is a virus with worm-like capabilities. It can infect Windows files, render text files unreadable, and spread to other endpoints via network hopping or by sending itself to email addresses stored in Windows’ address book. Chir.B can spread to other systems by tapping into Windows’ email address repositories or by searching and reading files with the following extensions: .adc, r.db,.doc, .xls.
Concerning behavior, Chir.B has potent obfuscation and persistence mechanisms, allowing the malware to circumvent endpoint-based detection and user interaction. The viral worm’s viral component usually tampers with Window Registry, inputting a dword value for a runonce rule. In essence, the malware begins to spread into the system after a successful reboot. All Windows files bearing the above-mentioned extensions are made unreadable by Chir.B which will replace the first 1234 bytes of each found file with gibberish.
Because Chir.B overwrites Windows Registry entries, it will introduce a new rule to prevent users from terminating the malicious process. Basically, when such an attempt is made, the Chir.B-associated process gets rejuvenated (i.e. restarted).
TR/Dropper.Gen is a trojan capable of downloading and installing vulnerable security services or software and enforcing changes upon system files. Dropper.Gen’s primary function is to download and replace critical security components with older versions or versions that have been deprecated due to security or non-security flaws. Dropper.Gen may also enact changes that can potentially lead to abnormal machine behavior (i.e., unwarranted reboots, increased resources consumption, etc.).
Second generation HTML-based malware, capable of downloading other malware. Infected.WebPage. Gen2 is usually triggered when a user interacts with an infected HTML webpage. Signs include decreased system performance, unauthorized app installations, and sys file reconfiguration.
Spyware masquerading as a legitimate WhatsApp modding tool. WAMOD, the tool in question, is an, allegedly, under-the-counter software used to personalize WhatsApp (i.e., change themes, modify fonts, create a new UI, etc.). Upon successful infiltration, ANDR.WAMod.IBCY.Gen will begin to harvest data from the infected device transmitting it to the threat actor across a secure communication channel.
Generic software or component exhibiting either (overtly) malicious behavior or unexpected outputs.
Spyware with pre-loaded adware-type software. Once deployed, the user will receive numerous pop-ups, desktop and in-browser ads.
Also known as the Brushaloader, ExpKit.Gen2 is a trojan with remote access capabilities. Brushaloader infects hosts through email phishing (i.e., .rar archives or altered Visual Basic Scripts). Upon successful infiltration, Brushaloader would employ a RAT (Remote Access Tool) to gather various types of data (e.g. accountholder name, passwords, generic account credentials, email addresses, etc.) which would later be exfiltrated to threat a actor-held server via a secure channel.
Brushaloader may also bypass regular security mechanisms to deploy additional malware or adware. Furthermore, a compromised host would have been under the threat actor’s complete control, who could perform various actions on target (e.g., access microphone and camera for recording, fingerprinting, etc.).
Floxif.hdc is a virus capable of infecting running or latent applications/processes, as well as DLLs. The virus is usually implanted in the host via forged emails or infected storage media (e.g. thumb drives, memory cards, CDs, DVDs, external HDDs, or SSDs). Infection can only occur when the user interacts with the malicious executable. In some instances, Floxif.hdc took the form of an update file. Typical behavior includes DLL injection or side-loading or additional malware installation (i.e., after bypassing security mechanisms).
Blackhole.C is the trojan component of the Blackhole exploit kit, one of the first MaaS’ (Malware-as-a-Service). The trojan serves various functions – from payload delivery to downloading other malicious packages and, as a MaaS centerpiece, it can be customized according to the ‘client’s’ requirements
Windows Shell exposure leveraged by threat actors for RCE (Remote Code Execution) purposes. The vulnerability has been associated with WinCC Scada systems manufactured by Siemens and is known to affect said system running Win 7, Server 2008 (SP2 + R2), Win Vista (SP1 + SP2), Win XP SP 3, and Win Server 2003 SP2.
AD.Macoute.edpwe is a trojan with worm-like functionality. Typical behavior includes process spawning, Win Registry modification, subpar system performance, denial-of-service, keystroke sniffing, and system files modification.
Run.Ramnit.C is a trojan-carried virus that requires another malware drop to be executed. The process is two-folded: the trojan drops the infected DLL, while another malware (possibly a trojan) drops the executable that loads the infected DLL.
Crypt.XPACK.Gen is a trojan with ransomware-type capabilities. The malware’s purpose is to infect the Master Boot Record (MBR) and to hinder the backup/moving process. If successful, XPACK will force-reboot the system and display a pre-boot ransom message.
Second generation adware that, on occasion, exhibits virus-type traits. Adware.Gen2 installs popups, toolbars, displays in-browser or desktop apps, and can be bundled with other malware for additional actions on target.
Malicious Visual Basic script usually appended to a forged RTF or HTML file whose purpose is to drop another malware (possibly a worm or virus).
Same infectious mechanism and MO as TR/Patched.Ren.Gen4 (see above).
Dropper.G4 is a generic dropper with virus-like capabilities. The dropper can infect hosts via email or tainted storage media and alter core functions. In most cases, Dropper.G4 will kill all tasks and jobs associated with an antivirus engine.
How to Keep Your Endpoints Safe
While prevention’s the best cure available, it’s wise to plan ahead. So, in addition to highlighting the 20 most notorious end of the year malware, here’s a short and sweet list of my favorite cybersecurity advice.
- Continuous patching. Apply security and non-security patches as soon as they become available. Patching is the only way to root out vulnerabilities and exposures that may be used for backdooring.
- Update AV engine. Ensure that your antivirus solution is up to date. AV’s the best cure for file-based malware.
- Access Governance. Privileged Access Management solutions can help you curb malware spreading, keep them out from sensitive system areas.
- Email attachments. Don’t open email attachments received from people outside your network. The same goes for links.
- Cybersecurity awareness. Conduct regular cybersecurity drills to coach your employees. Focus on emergent malware, infiltration techniques, and update them, if necessary, on change to company policies related to cybersecurity breaches, infections, etc.
To say that the “threatscape has changed” would be a contradiction in terms – it’s always on the move and it’s up to us to keep the pace. As always, stay safe, don’t click on odd-looking links, subscribe, comment, and hit me with your best questions.