Threat Hunting Journal February 2022 – End of the Month Roundup

We once again return with yet another narrative about malware strains, detection, and (clever) ways to protect your company’s assets against said threats. Last month’s threat journal mostly pivoted on trojans. So, it comes as no surprise that February’s threat hunting top is forefronted by the trojan king– over 10,000 positive detections, meaning a 64.2% decrease since December. That’s the good news; the bad news is that king trojan also brought along some reinforcement. Stick around to find out all about February’s most detected malware.

Top Malware(s) Detection: 1^st of February – 28^th of February

Throughout February, Heimdal™ has identified 7 trojan strains, totaling several 10,351 positive detections. As stated in the intro, despite the trojan’s prevalence, the number of positive IDs has significantly dropped compared to the last two scanning intervals (28,000 for December vs. 13,751 for January vs. 10,351 for February). What we’re witnessing is a steady percentile drop in trojan activity (51% for the December-January interval and 25% for the January-February interval).

Distribution-wise, we seem to have one of Kevlin Henney’s songs on our hands – “Old is the New New”. Our team has signaled 21 malware(s), 12 of them being recurrent (e.g., ACAD/Bursted.AN EXP/CVE-2010-2568.A, TR/Downloader.Gen, TR/Patched.Gen, TR/AD.GoCloudnet.kabtg, ADWARE/JsPopunder.G, TR/Crypt.XPACK.Gen, SPR/KeyFind.A, SPR/KeyFind.A, W32/Floxif.hdc, TR/Patched.Ren.Gen, TR/Patched.Ren.Gen7) and only 9 newcomers.

The new entries are TR/Rozena.jrrvz with 3263 positive detections, TR/Rozena.rfuus with 2,418 positive detections, TR/ATRAPS.Gen with 1,432 positive detection, DR/FakePic.Gen with 1,175 positive detections, ACAD/Burste.K with 651 positive detections, TR/AD.GoCloudnet.kabtg with 512 positive detections, W32/Neshta.A with 186 positive detections, ACAD/Bursted with 170 positive detections, ADWARE/Adware.Gen2 with 240 positive detections, and PUA/DownloadAdmin.Ge with 243 positive detections.

Below, you’ll find the complete list of positive IDs for the January-February interval.

Top Malware(s) Detailed

Here’s a rundown of the new malware strains detected this month. For brevity reasons, I have excluded the recurrent strains. For more information on those, I wholeheartedly encourage you to read the previous threat hunting journal editions. Enjoy!

1. TR/Rozena.jrrvz

A Rozena trojan variant; jrrvz is typically dropped by another type of malware. Following infiltration, TR/Rozena.jrrvz will spawn multiple processes (e.g. svchost.exe – netsvcs, svchost.exe -k WerSvcGroup, svchost.exe -k LocalServiceAndNoImpersonation, -k NetworkService, and others), create new folders in the AppData\Local\Microsoft folder, delete temporary files, and modify registry entries associated with applications such as Adobe Acrobat Reader DC, Windows Media Center, Paint, Microsoft Office Picture Manager, Windows Photo Viewer, Default Host Application, Microsoft Office Word, Windows Media Player, and WordPad.

2. TR/Rozena.rfuus

A Rozena trojan variant that attempts to connect to a malicious URL after drop.

3. TR/ATRAPS.Gen

ATRAPS.Gen is the perfect combination between a rootkit and a trojan. Buy most accounts, ATRAPS is used to install spyware and backdoors on the machine and for illegal data exfiltration. ATRAPS’ usually associated with unsecured gaming websites.

4. DR/FakePic.Gen

A trojan that is usually dropped by another type of malware (i.e., dropper). It has no offensive capabilities on its own because it requires other (dropped) components in order to affect a machine.

5. ACAD/Bursted.K

A variant of the ACAD/Bursted virus. Bursted.K specifically targets AutoCad’s LSP files. The virus edits global variables for infection and self-replication purposes.

6. TR/AD.GoCloudnet.kabtg

GoCloudnet.kabtg is a ransomware with trojan-like abilities. This particular strain can encrypt hard-drive records, DoS the target, create RWX memory, and extract packages for malicious RCE (Remote Code Execution) purposes.

7. W32/Neshta.A

Nestha.A is a virus from the Appeding class used to infect network shares and logical drives. After infiltration, Nestha.A modifies several Win registres, shell-runs an altered svchostcommand, and creates a specific function in otder to infect other files. Other uses include malicious data exfiltration via POST over SMTP servers.

8. ADWARE/Adware.Gen2

Second-generation adware that installs PUAs (Potentially Unwanted Applications), toolbars, and pop-ups.

9. PUA/DownloadAdmin.Ge

A PUP-type malware that’s usually dropped or carried by another type of malware. After infiltration, DownloadAdmin.Ge will drop additional files in the User\Temp folder.

Additional Cybersecurity Advice and Parting Thoughts

That’s about it for the February edition of Heimdal’s threat hunting journal. As always, before I head out, I’ll leave you in the company of my favorite cybersecurity tips, tricks, and hacks.

• Unsecured websites. Do your best to stay away from unsecured websites. Look for the padlock icon next to the URL.
• Updated Antivirus. Don’t forget that the AV is your first and last line of defense. Be sure to keep that AV database up to date. Now, if you want to up your antivirus game, you may want to give Heimdal™ Security’s Next-Gen Antivirus a try. Increased resilience, backed up by MDM, brute-force protection, and USB lock.
• Suspicious links. Please refrain from clicking on links from unsecured websites or emails received from untrusted sources.

As always, stay safe, be cautious around unsecured websites, and stay tuned for more threat-hunting content.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.