What better way to remember Easter than drawing up a list of the malware Bunny’s most ‘interesting’ offerings? Can you guess who’s the winner of this year’s (malware) egg hunt? If your answer was “trojan” then you’re right – 20 trojan strains for the April 1st – 28th interval, totaling over 25,000 positive detections – a 24.24% decrease compared to March. Here’s the April edition of Heimdal™’s threat hunting journal.
Top Malware(s) Detections: 1st of April – 28th of April
Throughout April, Heimdal™ Security’s SOC team has detected 20 types of trojans, running up to 25,976 positive detections. As mentioned our threat hunting intro, the value registered for April represents a 24% decrease in trojan-type activity, and compared to the December – March detection interval, it can be considered an all-time historical low (i.e., 28,000 for December vs. 13,751 for January vs. 10,351 for February vs. 33,000 for March). Ranking-wise, TR/CoinMiner.uwtyu raked the most detections (5,555 hits), followed by TR/Spy.Gen8 (4,160 hits), and TR/Rozena.jrrvc (2,717 hits).
As far as distribution is concerned, in April we have more newcomers compared to March, February, and January. To name a few, we have EXP/MS04-028.JPEG.A with 3,112 positive detections, HTML/Infected.WebPage.Gen2 with 1,574 positive detections, HTML/Phish.egr with 1,010 positive detection, and PUA/VyprVPN.Y with 406 positive hits. Here’s the complete list of detections.
Name |
Number of Detections |
---|---|
JS/Redir.G13 |
17171 |
TR/CoinMiner.uwtyu |
5555 |
TR/Spy.Gen8 |
4160 |
HEUR/GEN | 3680 |
TR/AD.GoCloudnet.kabtg |
3354 |
EXP/MS04-028.JPEG.A |
3112 |
TR/Rozena.jrrvz |
2717 |
ACAD/Bursted.AN | 2477 |
TR/Dropper.tfflr |
2464 |
LNK/Runner.VPEJ |
2121 |
TR/Rozena.rfuus |
1999 |
TR/Patched.Gen |
1894 |
EXP/CVE-2010-2568.A |
1789 |
TR/Crypt.XPACK.Gen2 |
1687 |
HTML/Infected.WebPage.Gen2 |
1574 |
W32/Run.Ramnit.C |
1475 |
HTML/Phish.egr |
1010 |
TR/CoinMiner.wmstw |
997 |
HTML/ExpKit.Gen2 |
989 |
HEUR/APC |
972 |
W32/Floxif.hdc |
874 |
HEUR/AGEN.1203323 |
703 |
TR/Downloader.Gen |
640 |
TR/Crypt.XPACK.Gen |
500 |
TR/Dropper.Gen |
455 |
DR/FakePic.Gen |
452 |
TR/Crypt.XPACK.Gen3 |
433 |
ADWARE/ANDR.Boomp.FJAM.Gen |
427 |
PUA/VyprVPN.Y |
406 |
HEUR/AGEN.1213003 |
390 |
W32/Chir.B |
386 |
TR/Patched.Ren.Gen |
382 |
TR/AD.CoinMiner.rkuzv |
318 |
PUA/DownloadAdmin.Gen |
311 |
HEUR/Macro.Downloader.MRAAG.Gen |
305 |
HEUR/Macro.Downloader.MRBX.Gen |
278 |
ADWARE/Adware.Gen2 |
272 |
EXP/PPT.A |
253 |
SPR/Spy.Ardamax.J.9 |
245 |
TR/Crypt.ZPACK.Gen |
242 |
HEUR/AGEN.1210871 |
227 |
HTML/Drop.VBS.A |
227 |
HEUR/AGEN.1247049 |
199 |
TR/ATRAPS.Gen |
196 |
TR/Dropper.VB.Gen |
186 |
W32/Parite |
183 |
TR/Patched.Ren.Gen7 |
179 |
WORM/LNK.Lodbak.Gen |
176 |
TR/Kryptik.abboik |
168 |
TR/Kazy.61783.12 |
167 |
Top 9 Malware(s) Detailed
Like always, I’ve included only the most relevant malicious strains, filtering out repeated offenders. Enjoy!
1. TR/Spy.Gen8
A generic-type trojan. It’s usually employed to deliver spyware to the victim’s machine. Depending on the attacker’s motivation, the TR/Spy.Gen8 can be outfitted with various payloads.
2. HTML/Infected.WebPage.Gen2
An attack aimed at infecting commonly used web pages. When the user queries the resource, he or she will often get redirected to an attacker-owned web page for various actions on target (e.g., phishing for credentials, spyware retrieval, etc.)
3. HTML/ExpKit.Gen2
HTML/ExpKit.Gen2 is another moniker for the Brushaloader trojan with RAT (Remote Access Tool) capabilities. It’s typically employed to deliver additional malware to the victim’s machine. HTML/ExpKit.Gen2 is delivered via infected emails, .rar archives, or Visual Basic scripts.
4. ADWARE/ANDR.Boomp.FJAM.Gen
A generic adware-type program that downloads and installs malicious ads on the victim’s Android device.
5. PUA/VyprVPN.Y
A Potentially Unwanted Application (PUA) masquerading as a legitimate VPN-type application. Can be used as an access point or to download additional malicious components.
6. TR/Dropper.VB.Gen
A dropper-type trojan that’s typically employed to drop other malware or components. TR/Dropper.VB/Gen infects its victims via VB scripts.
7. TR/Kryptik.abboik
A trojan that’s used to create a C2 connection via an exploitable backdoor. Kryptik can also be leveraged to download other malware, identify & exploit additional backdoors, typosquatting, and more.
8. TR/Kazy.61783.12
A generic trojan that’s used to deploy and assemble the components of other malware.
10. HEUR/AGEN.1203323
An unknown program that displays potentially malicious behavior.
Additional Cybersecurity Advice and Parting Thoughts
This wraps up the April, post-Easter edition of Heimdal™ Security’s threat hunting journal. Before I go, I’m gonna share with you a couple of advice on how to perk up your security.
- On-demand, auto-scan or disabled. How often should a device be scanned? Should we leave the scanning schedule up to policy, do it ourselves, or give it up for Lent? My advice would be to work out a schedule with your IT admins to find the best time for this type of operation.
- Need more firepower? Perhaps you need more than a virus scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
- Phishy emails. No, it’s not a typo. As you know, most malware’s transmitted via email. So, with the risk of sounding like a broken record – if it looks suspicious, it’s probably dangerous.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.