CYBERSECURITY PADAWAN

What better way to remember Easter than drawing up a list of the malware Bunny’s most ‘interesting’ offerings? Can you guess who’s the winner of this year’s (malware) egg hunt? If your answer was “trojan” then you’re right – 20 trojan strains for the April 1st – 28th interval, totaling over 25,000 positive detections – a 24.24% decrease compared to March. Here’s the April edition of Heimdal™’s threat hunting journal.

Top Malware(s) Detections: 1st of April – 28th of April

Throughout April, Heimdal™ Security’s SOC team has detected 20 types of trojans, running up to 25,976 positive detections. As mentioned our threat hunting intro, the value registered for April represents a 24% decrease in trojan-type activity, and compared to the December – March detection interval, it can be considered an all-time historical low (i.e., 28,000 for December vs. 13,751 for January vs. 10,351 for February vs. 33,000 for March). Ranking-wise, TR/CoinMiner.uwtyu raked the most detections (5,555 hits), followed by TR/Spy.Gen8 (4,160 hits), and TR/Rozena.jrrvc (2,717 hits).

As far as distribution is concerned, in April we have more newcomers compared to March, February, and January. To name a few, we have EXP/MS04-028.JPEG.A with 3,112 positive detections, HTML/Infected.WebPage.Gen2 with 1,574 positive detections, HTML/Phish.egr with 1,010 positive detection, and PUA/VyprVPN.Y with 406 positive hits. Here’s the complete list of detections.

Name
Number of Detections
JS/Redir.G13
17171
TR/CoinMiner.uwtyu
5555
TR/Spy.Gen8
4160
HEUR/GEN3680
TR/AD.GoCloudnet.kabtg
3354
EXP/MS04-028.JPEG.A
3112
TR/Rozena.jrrvz
2717
ACAD/Bursted.AN2477
TR/Dropper.tfflr
2464
LNK/Runner.VPEJ
2121
TR/Rozena.rfuus
1999
TR/Patched.Gen
1894
EXP/CVE-2010-2568.A
1789
TR/Crypt.XPACK.Gen2
1687
HTML/Infected.WebPage.Gen2
1574
W32/Run.Ramnit.C
1475
HTML/Phish.egr
1010
TR/CoinMiner.wmstw
997
HTML/ExpKit.Gen2
989
HEUR/APC
972
W32/Floxif.hdc
874
HEUR/AGEN.1203323
703
TR/Downloader.Gen
640
TR/Crypt.XPACK.Gen
500
TR/Dropper.Gen
455
DR/FakePic.Gen
452
TR/Crypt.XPACK.Gen3
433
ADWARE/ANDR.Boomp.FJAM.Gen
427
PUA/VyprVPN.Y
406
HEUR/AGEN.1213003
390
W32/Chir.B
386
TR/Patched.Ren.Gen
382
TR/AD.CoinMiner.rkuzv
318
PUA/DownloadAdmin.Gen
311
HEUR/Macro.Downloader.MRAAG.Gen
305
HEUR/Macro.Downloader.MRBX.Gen
278
ADWARE/Adware.Gen2
272
EXP/PPT.A
253
SPR/Spy.Ardamax.J.9
245
TR/Crypt.ZPACK.Gen
242
HEUR/AGEN.1210871
227
HTML/Drop.VBS.A
227
HEUR/AGEN.1247049
199
TR/ATRAPS.Gen
196
TR/Dropper.VB.Gen
186
W32/Parite
183
TR/Patched.Ren.Gen7
179
WORM/LNK.Lodbak.Gen
176
TR/Kryptik.abboik
168
TR/Kazy.61783.12
167

Top 9 Malware(s) Detailed

Like always, I’ve included only the most relevant malicious strains, filtering out repeated offenders. Enjoy!

1. TR/Spy.Gen8

A generic-type trojan. It’s usually employed to deliver spyware to the victim’s machine. Depending on the attacker’s motivation, the TR/Spy.Gen8 can be outfitted with various payloads.

2. HTML/Infected.WebPage.Gen2

An attack aimed at infecting commonly used web pages. When the user queries the resource, he or she will often get redirected to an attacker-owned web page for various actions on target (e.g., phishing for credentials, spyware retrieval, etc.)

3. HTML/ExpKit.Gen2

HTML/ExpKit.Gen2 is another moniker for the Brushaloader trojan with RAT (Remote Access Tool) capabilities. It’s typically employed to deliver additional malware to the victim’s machine. HTML/ExpKit.Gen2 is delivered via infected emails, .rar archives, or Visual Basic scripts.

4. ADWARE/ANDR.Boomp.FJAM.Gen

A generic adware-type program that downloads and installs malicious ads on the victim’s Android device.

5. PUA/VyprVPN.Y

A Potentially Unwanted Application (PUA) masquerading as a legitimate VPN-type application. Can be used as an access point or to download additional malicious components.

6. TR/Dropper.VB.Gen

A dropper-type trojan that’s typically employed to drop other malware or components. TR/Dropper.VB/Gen infects its victims via VB scripts.

7. TR/Kryptik.abboik

A trojan that’s used to create a C2 connection via an exploitable backdoor. Kryptik can also be leveraged to download other malware, identify & exploit additional backdoors, typosquatting, and more.

8. TR/Kazy.61783.12

A generic trojan that’s used to deploy and assemble the components of other malware.

10. HEUR/AGEN.1203323

An unknown program that displays potentially malicious behavior.

Additional Cybersecurity Advice and Parting Thoughts

This wraps up the April, post-Easter edition of Heimdal™ Security’s threat hunting journal. Before I go, I’m gonna share with you a couple of advice on how to perk up your security.

  • On-demand, auto-scan or disabled. How often should a device be scanned? Should we leave the scanning schedule up to policy, do it ourselves, or give it up for Lent? My advice would be to work out a schedule with your IT admins to find the best time for this type of operation.
  • Need more firepower? Perhaps you need more than a virus scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
  • Phishy emails. No, it’s not a typo. As you know, most malware’s transmitted via email. So, with the risk of sounding like a broken record – if it looks suspicious, it’s probably dangerous.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Threat Hunting Journal – March 2022 E.O.M Edition

Threat Hunting Journal February 2022 – End of the Month Roundup

Heimdal CyberSecurity & Threat Intelligence Report 2021

Heimdal™ Threat Hunting Journal: January E.O.M Edition

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP