Threat Hunting Journal – June 2022 Edition

Heimdal™ Security returns with yet another insightful story on the state of malware. As always, we’ll go through the numbers, call out the newcomers, and pay our respects to the usual suspects. No major updates since last month – trojans still trump the opposition, with a grand total of 20K+ detections. Still, June’s not without bombshells. We have 30 new malwares, a significant increase compared to the last couple of months. So, without further ado, here’s the June edition of our Threat Hunting Journal. Enjoy, subscribe, and share!

Top Malware(s) Detections: 1st of June – 29th of June

Throughout the month of June, Heimdal™ Security’s S.O.C team has detected (and mitigated) 22 trojan strains, totaling a whopping 21,718 (positive) hits, a 30% increase since May, and the second historical high after April when our team detected 25,976 (positive) hits. Distribution-wise, TR/Swrort.fkiqj takes the first place with 8,260 positive IDs, followed by EXP/CVE-2010-2568.A with 4,775 positive detections, and VBS/Ramnit.abcd with 2,900 positive detections. As I might have mentioned in the intro, June has the highest number of new malware –  30 newcomers. To name just a few of them, we have JS.FileCoder.poinj with 951 positive hits, PUA/UTorrentWeb.BE with 365 hits, TR/ATRAPS.Gen with 532 positive detections, and TR/Dldr.Delphi.Gen with 381 positive detections. Below, you’ll find the unabridged list of June malware detections.

Top 5 Malware Detailed

Let’s take a closer look at this month’s top 5 malware list.

TR/Crypt.FKM.Gen

TR/Crypt.FKM.Gen is a trojan designed to infiltrate the victim’s machine, bypass security, and deploy spyware.

PUA/UTorrentWeb.BA

PUA/UTorrentWeb.BA is a Potentially Unwanted Application that usually infects machines running P2P file-sharing applications like uTorrent or qBittorent. This type of malware can impact performance, and deploy coin-mining tools on the victim’s machine or spyware.

HTML/Phish.MMI

HTML/Phish.MMI is a malware that exhibits trojan-like behavior. Once it lands on the machine, the malware will attempt to secure a connection to a malicious C2 server.

ADWARE/JsRevizer.G

ADWARE/JsRevizer.G is designed to display potentially dangerous ads on the victim’s machine.

W32/Sality.AT

Sality.AT is the modern version of the Sality computer virus. This malware is usually distributed via email or infected removable drives. Once inside the machine, Sality.AT will attempt to infect shared drives, local drives, and any attached removable media. Compared to its predecessors, Sality.AT employs polymorphic techniques in order to avoid detection and maximize impact.

Additional Cybersecurity Tips and Parting Thoughts

This wraps up the June edition of our threat hunting journal. Before I scoot, here are a couple of tips that could help you fight the good fight against malware.

• Define device-scanning policies. Ensure that you have defined and enforced strict device-scanning policies. You should also consider miscellaneous rules to cover aspects such scanning frequency, scanning depth, on-demand etc.
• Better AV protection. Some types of malware won’t show up on a regular AV scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
• Beware of phishing. As you know, most malware’s transmitted via email. So, if it looks suspicious, it’s probably dangerous and should, therefore, not be opened.

Do you enjoy our Threat Hunting Journal? Don’t forget to follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!