Threat Hunting Journal – March 2022 E.O.M Edition

The early spring edition of Heimdal™ Security’s threat hunting journal brings new contenders, old contenders, and more telemetry. No major improvements since last month, with the Trojan King still refusing to give up its belt – over 33,000 positive detections, spread across 17 different strains. Stay tuned for more numbers, stats, and “goodies”.

Top Malware(s) Detection: 1st of March – 28th of March

Throughout March, Heimdal™ Security’s SOC team has detected 17 different trojan strains, totaling 33,301 positive detections, a 219% increase since February, and an all-time record (i.e., 28,000 for December vs. 13,751 for January vs. 10,351 for February). Raking close to 9,000 hits (i.e., positive detections) is the TR/AD.GoCloudnet.kabtg trojan, first detected in late December 2021. Next on the list we have TR/Rozena.jrrvz with 5,000+ positive detections, followed by VBS/Ramnit.abcd with 4k+ positive IDs, and the Rozena .rfuus variant with 3,800+  detections.

Though most of the malware on this list are “repeat offenders”, we do have a couple of newcomers. To name a few, we have TR/Dropper.tfflr with 3,770 positive detections, LNK/Runner.VPEJ with 2,886 positive IDs, and TR/CoinMiner.uwtyu with 2,049 detections. Below, you’ll find the complete list of March detections as well as a rundown of this month’s new malware. Enjoy!

Top 10+ Malware(s) Detailed

As usual, I’ve excluded previous instances, focusing on emergent malware.

1. TR/Dropper.tfflr

TR/Droppe. tfflr is a trojan dropper, whose sole purpose is to drop (i.e., unpack) malicious files on the victim’s machine. The trojan’s can release various payloads, depending on the type of attack or surface. For instance, TR/Dropper.tfflr can be ‘outfitted’ with ransomware-type code, backdoors, various exploits, or even spyware.

2. LNK/Runner.VPEJ

Although technically a trojan, Runner.VPEJ has additional tricks up its sleeve. Endemic to hacking-related websites, LNK.Runner.VPEJ typically infects machines via spam email. Once the user interacts with the email’s malicious attachment, VPEJ springs to life and starts infecting files and folders. In most cases, Runner would tamper would the visibility attributes of files and folder, hiding them from the user.

3. TR/CoinMiner.uwtyu

A trojan with C2 capabilities. CoinMiner would infect a machine – typically via spam emails – and use a discretionary port in order to contact a hacker-owned address or resource for instructions.

4. TR/Crypt.XPACK.Gen2

Crypt.XPACK.Gen2 is a trojan outfitted with various payloads. In some of the observed instances, XPACK.GEN2 was found to carry ransomware components.

5. TR/Dropper.M

A Dropper.tfflr variant. The infectious mechanism is the same. See the above entry on TR/Dropper.tfflr for additional information.

6. TR/AD.DSpyware.ownotSIL.Gen2

AD.DSpyware is a trojan capable of dropping spyware or installing backdoors on the victim’s machine.

7. TR/CoinMiner.jpmln

CoinMiner.jpmln is a CoinMiner variant. Infectious mechanism and payload selection remain unchanged. Please see the above section on TR/CoinMiner.uwtyu for more details.

8. WORM/LNK.Verecno.Gen

LNK. Verecno. Gen is a trojan with worm-like features. Verecno’s usually transmitted through infected removable media or mapped (and shared) network drives. Once inside the victim’s machine, it will change Windows Registry values and seek other shared network resources to infect.

9. TR/Crypt.XPACK.Gen3

An XPACK.Gen2 variant. The infectious mechanism is the same. See above entry on Crypt.XPACK. Gen2 for additional information.

10. WORM/LNK.Lodbak.Gen

LNK.Lodback.Gen is a worm with limited destructive capabilities. Lodback.Gen is typically used in botnet activities.

11. TR/AD.Injector.nsnmc

AD.Injector is a trojan whose mandate is to inject potentially harmful adware-type software into the victim’s machine.

12. XF/Agent.B2

Agent.B2 is a trojan dropper. It typically installs backdoors on the infected machine.

Additional Cybersecurity Advice & Parting Thoughts

This about wraps up this month’s threat hunting edition. I hope you’ve enjoyed it as much as I did writing it. As usual, before I go, I’m going to share with you some of my favorite cybersecurity tips, tricks, hacks, and advice.

• Learn the signs. Some of the (more) common signs associated with malware infection are unresponsiveness, suspicious pop-ups, frequent freezing, and/or crashing.
• Keeping that AV up to date. Keep in mind that your antivirus does more than keep malware at bay. For instance, when combined with ransomware encryption protection software, it can actively protect your machine against illicit file encryption. Heimdal™ Security’s Next-Gen Antivirus & MDM combined with Ransomware Encryption Protection is the perfect combo, being capable of removing ransomware, viruses, worms, adware, and anything in between.
• Suspicious links and attachments. Since most of the above-mentioned malware moves around using emails, I would advise you to refrain from clicking on links or opening attachments from emails received from unknown or untrusted sources.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.