Contents:
Heimdal™ Security returns with yet another insightful story on the state of malware. As always, we’ll go through the numbers, call out the newcomers, and pay our respects to the usual suspects. No major updates since last month – trojans still trump the opposition, with a grand total of 20K+ detections. Still, June’s not without bombshells. We have 30 new malware, a significant increase compared to the last couple of months. So, without further ado, here’s the June edition of our Threat Hunting Journal. Enjoy, subscribe, and share!
Top Malware(s) Detections: 1st of June – 29th of June
Throughout June, Heimdal™ Security’s S.O.C team has detected (and mitigated) 22 trojan strains, totaling a whopping 21,718 (positive) hits, a 30% increase since May, and the second historical high after April when our team detected 25,976 (positive) hits. Distribution-wise, TR/Swrort.fkiqj takes first place with 8,260 positive IDs, followed by EXP/CVE-2010-2568.A with 4,775 positive detections, and VBS/Ramnit.abcd with 2,900 positive detections. As I might have mentioned in the intro, June has the highest number of new malware – 30 newcomers. To name just a few of them, we have JS.FileCoder.poinj with 951 positive hits, PUA/UTorrentWeb.BE with 365 hits, TR/ATRAPS.Gen with 532 positive detections, and TR/Dldr.Delphi.Gen with 381 positive detections. Below, you’ll find the unabridged list of June malware detections.
Name No. of hits
ACAD/Burste.K 175
ACAD/Bursted.AN
2854
ADWARE/JsPopunder.G
259
ADWARE/JsRevizer.G
219
Eicar-Test-Signature
293
EXP/CVE-2010-2568.A
4775
EXP/PyShellCode.G
2862
HEUR/AGEN.1213003
249
HEUR/AGEN.1249827
160
HEUR/APC
1190
HTML/ExpKit.Gen2
1072
HTML/Infected.WebPage.Gen
870
HTML/Infected.WebPage.Gen2
195
HTML/Phish.egr
951
HTML/Phish.MMI
768
JS/FileCoder.poinj
168
JS/Malscript.G13
674
LNK/Runner.VPFJ
573
PUA/OpenInstall.Gen
581
PUA/UTorrentWeb.BA
813
PUA/UTorrentWeb.BE
365
TR/AD.GoCloudnet.kabtg
691
TR/AD.Swotter.lckuu
557
TR/ATRAPS.Gen
532
TR/CoinMiner.uwtyu
2745
TR/CoinMiner.wmstw
927
TR/Crypt.FKM.Gen
155
TR/Crypt.XPACK.Gen
687
TR/Crypt.XPACK.Gen3
278
TR/Crypt.XPACK.Gen4
150
TR/Dldr.Delphi.Gen
381
TR/Downloader.Gen
214
TR/Dropper.Gen
298
TR/Dropper.Gen2
1118
TR/Dropper.Gen7
160
TR/Patched.Gen
1796
TR/Patched.Ren.Gen
303
TR/Patched.Ren.Gen4
845
TR/Patched.Ren.Gen7
379
TR/PSInject.G1
938
TR/RanumBot.xxlef
151
TR/Redcap.rzbdb
153
TR/Swrort.fkiqj
8260
TR/Trash.Gen
2184
VBS/Ramnit.abcd
2900
W32/Floxif.hdc
270
W32/Parite
190
W32/Ramnit.C
936
W32/Run.Ramnit.C
278
W32/Sality.AT
288
Top 5 Malware Detailed
Let’s take a closer look at this month’s top 5 malware list.
TR/Crypt.FKM.Gen
TR/Crypt.FKM.Gen is a trojan designed to infiltrate the victim’s machine, bypass security, and deploy spyware.
PUA/UTorrentWeb.BA
PUA/UTorrentWeb.BA is a Potentially Unwanted Application that usually infects machines running P2P file-sharing applications like uTorrent or qBittorent. This type of malware can impact performance, and deploy coin-mining tools on the victim’s machine or spyware.
HTML/Phish.MMI
HTML/Phish.MMI is a malware that exhibits trojan-like behavior. Once it lands on the machine, the malware will attempt to secure a connection to a malicious C2 server.
ADWARE/JsRevizer.G
ADWARE/JsRevizer.G is designed to display potentially dangerous ads on the victim’s machine.
W32/Sality.AT
Sality.AT is the modern version of the Sality computer virus. This malware is usually distributed via email or infected removable drives. Once inside the machine, Sality.AT will attempt to infect shared drives, local drives, and any attached removable media. Compared to its predecessors, Sality.AT employs polymorphic techniques to avoid detection and maximize impact.
Additional Cybersecurity Tips and Parting Thoughts
This wraps up the June edition of our threat-hunting journal. Before I scoot, here are a couple of tips that could help you fight the good fight against malware.
- Define device-scanning policies. Ensure that you have defined and enforced strict device-scanning policies. You should also consider miscellaneous rules to cover aspects such as scanning frequency, scanning depth, on-demand, etc.
- Better AV protection. Some types of malware won’t show up on a regular AV scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution that combines top-tier detection rates, brute-force detection & protection features, and more.
- Beware of phishing. As you know, most malware is transmitted via email. So, if it looks suspicious, it’s probably dangerous and should, therefore, not be opened.
Do you enjoy our Threat Hunting Journal? Don’t forget to follow us on LinkedIn, Twitter, Facebook, YouTube, or Instagram to keep up to date with everything we post!