Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
What better way to remember Easter than drawing up a list of the malware Bunny’s most ‘interesting’ offerings? Can you guess who’s the winner of this year’s (malware) egg hunt? If your answer was “trojan” then you’re right – 20 trojan strains for the April 1st – 28th interval, totaling over 25,000 positive detections – a 24.24% decrease compared to March. Here’s the April edition of Heimdal™’s threat hunting journal.
Top Malware(s) Detections: 1st of April – 28th of April
Throughout April, Heimdal™ Security’s SOC team has detected 20 types of trojans, running up to 25,976 positive detections. As mentioned our threat hunting intro, the value registered for April represents a 24% decrease in trojan-type activity, and compared to the December – March detection interval, it can be considered an all-time historical low (i.e., 28,000 for December vs. 13,751 for January vs. 10,351 for February vs. 33,000 for March). Ranking-wise, TR/CoinMiner.uwtyu raked the most detections (5,555 hits), followed by TR/Spy.Gen8 (4,160 hits), and TR/Rozena.jrrvc (2,717 hits).
As far as distribution is concerned, in April we have more newcomers compared to March, February, and January. To name a few, we have EXP/MS04-028.JPEG.A with 3,112 positive detections, HTML/Infected.WebPage.Gen2 with 1,574 positive detections, HTML/Phish.egr with 1,010 positive detection, and PUA/VyprVPN.Y with 406 positive hits. Here’s the complete list of detections.
| Name | Number of Detections |
|---|---|
| JS/Redir.G13 | 17171 |
| TR/CoinMiner.uwtyu | 5555 |
| TR/Spy.Gen8 | 4160 |
| HEUR/GEN | 3680 |
| TR/AD.GoCloudnet.kabtg | 3354 |
| EXP/MS04-028.JPEG.A | 3112 |
| TR/Rozena.jrrvz | 2717 |
| ACAD/Bursted.AN | 2477 |
| TR/Dropper.tfflr | 2464 |
| LNK/Runner.VPEJ | 2121 |
| TR/Rozena.rfuus | 1999 |
| TR/Patched.Gen | 1894 |
| EXP/CVE-2010-2568.A | 1789 |
| TR/Crypt.XPACK.Gen2 | 1687 |
| HTML/Infected.WebPage.Gen2 | 1574 |
| W32/Run.Ramnit.C | 1475 |
| HTML/Phish.egr | 1010 |
| TR/CoinMiner.wmstw | 997 |
| HTML/ExpKit.Gen2 | 989 |
| HEUR/APC | 972 |
| W32/Floxif.hdc | 874 |
| HEUR/AGEN.1203323 | 703 |
| TR/Downloader.Gen | 640 |
| TR/Crypt.XPACK.Gen | 500 |
| TR/Dropper.Gen | 455 |
| DR/FakePic.Gen | 452 |
| TR/Crypt.XPACK.Gen3 | 433 |
| ADWARE/ANDR.Boomp.FJAM.Gen | 427 |
| PUA/VyprVPN.Y | 406 |
| HEUR/AGEN.1213003 | 390 |
| W32/Chir.B | 386 |
| TR/Patched.Ren.Gen | 382 |
| TR/AD.CoinMiner.rkuzv | 318 |
| PUA/DownloadAdmin.Gen | 311 |
| HEUR/Macro.Downloader.MRAAG.Gen | 305 |
| HEUR/Macro.Downloader.MRBX.Gen | 278 |
| ADWARE/Adware.Gen2 | 272 |
| EXP/PPT.A | 253 |
| SPR/Spy.Ardamax.J.9 | 245 |
| TR/Crypt.ZPACK.Gen | 242 |
| HEUR/AGEN.1210871 | 227 |
| HTML/Drop.VBS.A | 227 |
| HEUR/AGEN.1247049 | 199 |
| TR/ATRAPS.Gen | 196 |
| TR/Dropper.VB.Gen | 186 |
| W32/Parite | 183 |
| TR/Patched.Ren.Gen7 | 179 |
| WORM/LNK.Lodbak.Gen | 176 |
| TR/Kryptik.abboik | 168 |
| TR/Kazy.61783.12 | 167 |
Top 9 Malware(s) Detailed
Like always, I’ve included only the most relevant malicious strains, filtering out repeated offenders. Enjoy!
1. TR/Spy.Gen8
A generic-type trojan. It’s usually employed to deliver spyware to the victim’s machine. Depending on the attacker’s motivation, the TR/Spy.Gen8 can be outfitted with various payloads.
2. HTML/Infected.WebPage.Gen2
An attack aimed at infecting commonly used web pages. When the user queries the resource, he or she will often get redirected to an attacker-owned web page for various actions on target (e.g., phishing for credentials, spyware retrieval, etc.)
3. HTML/ExpKit.Gen2
HTML/ExpKit.Gen2 is another moniker for the Brushaloader trojan with RAT (Remote Access Tool) capabilities. It’s typically employed to deliver additional malware to the victim’s machine. HTML/ExpKit.Gen2 is delivered via infected emails, .rar archives, or Visual Basic scripts.
4. ADWARE/ANDR.Boomp.FJAM.Gen
A generic adware-type program that downloads and installs malicious ads on the victim’s Android device.
5. PUA/VyprVPN.Y
A Potentially Unwanted Application (PUA) masquerading as a legitimate VPN-type application. Can be used as an access point or to download additional malicious components.
6. TR/Dropper.VB.Gen
A dropper-type trojan that’s typically employed to drop other malware or components. TR/Dropper.VB/Gen infects its victims via VB scripts.
7. TR/Kryptik.abboik
A trojan that’s used to create a C2 connection via an exploitable backdoor. Kryptik can also be leveraged to download other malware, identify & exploit additional backdoors, typosquatting, and more.
8. TR/Kazy.61783.12
A generic trojan that’s used to deploy and assemble the components of other malware.
10. HEUR/AGEN.1203323
An unknown program that displays potentially malicious behavior.
Additional Cybersecurity Advice and Parting Thoughts
This wraps up the April, post-Easter edition of Heimdal™ Security’s threat hunting journal. Before I go, I’m gonna share with you a couple of advice on how to perk up your security.
- On-demand, auto-scan or disabled. How often should a device be scanned? Should we leave the scanning schedule up to policy, do it ourselves, or give it up for Lent? My advice would be to work out a schedule with your IT admins to find the best time for this type of operation.
- Need more firepower? Perhaps you need more than a virus scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
- Phishy emails. No, it’s not a typo. As you know, most malware’s transmitted via email. So, with the risk of sounding like a broken record – if it looks suspicious, it’s probably dangerous.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
