Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Heimdal™ returns with another incisive, mind-bending edition of our celebrated threat hunting journal. What does the month of July have in stock for us? As one would expect, even more trojans, PUAs, and a couple of worms and viruses just to keep things interesting. Wonder no more because our trojan king reigns unchallenged – 15 trojan strains were detected throughout July, totaling a not so–whopping 8,404 positive detections (no change there). Enjoy, subscribe, and, of course, share if you care.
Top Malware(s) Detections: 1st of July – 29th of July
Heimdal™’s SOC team has positively IDed 15 trojan strains in July. The number of trojans (positive) hits is 8,404; as someone might say “not good, not terrible”. So, what’s so special about it? Because this number represents our newest historical low (i.e., February – 10,351 vs. July – 8,404). And because we just love numbers and percentages, trojan activity in July has decreased by 158% (i.e., compared with the previous month). Diversity-wise, we have our usual ACAD/Bursted.AN detections, Run.Ramnit.C, PUAs, and the Sality virus.
All of July’s malware detections can be found below.
| Name | No. of hits |
|---|---|
| EXP/PyShellCode.G | 2647 |
| ACAD/Bursted.AN | 2301 |
| TR/Trash.Gen | 1515 |
| EXP/CVE-2010-2568.A | 1004 |
| TR/Patched.Gen | 916 |
| TR/PSInject.G1 | 904 |
| TR/CoinMiner.wmstw | 878 |
| Eicar-Signature | 872 |
| TR/CoinMiner.uwtyu | 830 |
| TR/AD.GoCloudnet.kabtg | 699 |
| PUA/UTorrentWeb.BA | 693 |
| TR/Dldr.Delphi.Gen | 512 |
| TR/Dropper.Gen2 | 495 |
| W32/Run.Ramnit.C | 450 |
| W32/Infector.Gen | 439 |
| TR/Crypt.XPACK.Gen | 417 |
| W32/Sality.AW | 361 |
| ACAD/Burste.K | 338 |
| TR/Swrort.fkiqj | 327 |
| W32/Sality.AT | 275 |
| VBS/Ramnit.abcd | 272 |
| W97M/Class.EP.1 | 244 |
| ADWARE/Adware.Gen2 | 229 |
| WORM/Brontok.C | 226 |
| W32/Neshta.A | 224 |
| TR/Dropper.Gen | 211 |
| TR/AD.Swotter.lckuu | 201 |
| TR/Patched.Ren.Gen | 175 |
| LNK/Runner.VPGG | 163 |
| TR/Patched.Ren.Gen7 | 163 |
| TR/Worm.Gen | 161 |
Top 7 Malware Detailed
Now that we have this month’s threat hunting stats out of the way, let’s take a stab at the most important malware detections.
EXP/PyShellCode.G
PYyShellCode.G is a malware whose scope is to either identify and exploit code or software vulnerabilities.
TR/Trash.Gen
Trash. Gen is your run-of-the-mill trojan that can impact your machine in different ways. For instance, it can slow down your device, paving the way for other malware, installing backdoors, and more. This particular trojan is endemic to pornographic websites.
PUA/UTorrentWeb.BA
UTorrentWeb.BA is a PUA (i.e., Potentially Unwanted Application) that can be leveraged for stuff like recon. It can also install adware on the infected machine. As the name suggests, PUA most often infects machines running torrent downloaders.
W32/Infector.Gen
Infector.Gen is malware with trojan capabilities. Typical Infector.Gen behavior includes DLL injection, process manipulation, and creation of scheduled tasks for persistence purposes.
W97M/Class.EP.1
Class.EP.1 is a later iteration of the M97 Class macro virus that is used to infect MS Office 97 documents.
TR/Dropper.Gen
Dropper.Gen is a dropper-type malware. It’s usually employed to deliver other types of malware. From January to July, Heimdal™ has identified five distinct versions of the Dropper.Gen malware.
W32/Sality.AT
Sality.AT is the latest version of the infamous Sality virus, that made headlines back in 2003. Never out of fashion, Sality, with its AT variant, can perform a long range of actions on target such as C2 communication, backdoor installation, and transforming the infected machine into a bot.
Additional Cybersecurity Tips and Parting Thoughts
This wraps up the July edition oft our celebrated threat hunting journal. Before I go, here are some cybersecurity tips that may help you even the odds with hackers.
- Manual scanning vs. scheduled (automatic) scanning. It’s not always a good idea to leave the scanning bit to the users. Experience dictates that the average user would rather skip this part and focus on other meaningful things than go along with it. So, the best course of action would be to set an automatic (and scheduled) scanning flow.
- More firepower. Some types of malware won’t show up on a regular AV scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution that combines top-tier detection rates, brute-force detection & protection features, and more.
- Beware of phishing. As most malware’s gets pipped via email do yourself a favour and stay away from suspicious email. Remember the rule of the thumb: if it looks shady, then it’s probably dangerous.
Do you enjoy our Threat Hunting Journal? Don’t forget to follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!
