The early spring edition of Heimdal™ Security’s threat hunting journal brings new contenders, old contenders, and more telemetry. No major improvements since last month, with the Trojan King still refusing to give up its belt – over 33,000 positive detections, spread across 17 different strains. Stay tuned for more numbers, stats, and “goodies”.
Top Malware(s) Detection: 1st of March – 28th of March
Throughout March, Heimdal™ Security’s SOC team has detected 17 different trojan strains, totaling 33,301 positive detections, a 219% increase since February, and an all-time record (i.e., 28,000 for December vs. 13,751 for January vs. 10,351 for February). Raking close to 9,000 hits (i.e., positive detections) is the TR/AD.GoCloudnet.kabtg trojan, first detected in late December 2021. Next on the list we have TR/Rozena.jrrvz with 5,000+ positive detections, followed by VBS/Ramnit.abcd with 4k+ positive IDs, and the Rozena .rfuus variant with 3,800+ detections.
Though most of the malware on this list are “repeat offenders”, we do have a couple of newcomers. To name a few, we have TR/Dropper.tfflr with 3,770 positive detections, LNK/Runner.VPEJ with 2,886 positive IDs, and TR/CoinMiner.uwtyu with 2,049 detections. Below, you’ll find the complete list of March detections as well as a rundown of this month’s new malware. Enjoy!
| Malware name | No. of Positive IDs |
|---|---|
| TR/AD.GoCloudnet.kabt | 8859 |
| TR/Rozena.jrrvz | 5189 |
| VBS/Ramnit.abcd | 4407 |
| TR/Rozena.rfuus | 3805 |
| TR/Dropper.tfflr | 3770 |
| LNK/Runner.VPEJ | 2886 |
| ACAD/Bursted.AN | 2738 |
| TR/CoinMiner.uwtyu | 2049 |
| TR/Crypt.XPACK.Gen2 | 1929 |
| TR/Downloader.Gen | 1720 |
| TR/Patched.Gen | 1715 |
| EXP/CVE-2010-2568.A | 1310 |
| TR/Dropper.Gen | 924 |
| TR/Dropper.MSIL.Gen2 | 596 |
| TR/AD.DSpyware.ownot | 593 |
| DR/FakePic.Gen | 534 |
| TR/CoinMiner.jpmln | 501 |
| WORM/LNK.Verecno.Gen | 484 |
| W32/Floxif.hdc | 479 |
| TR/Crypt.XPACK.Gen3 | 474 |
| PUA/DownloadAdmin.Gen | 424 |
| TR/Crypt.XPACK.Gen | 374 |
| WORM/LNK.Lodbak.Gen | 366 |
| EXP/PyShellCode.A | 355 |
| TR/ATRAPS.Gen | 318 |
| ADWARE/JsPopunder.G | 262 |
| W32/Renamer.A | 259 |
| TR/AD.Injector.nsnmc | 254 |
| XF/Agent.B2 | 251 |
| TR/Crypt.ZPACK.Gen | 231 |
Top 10+ Malware(s) Detailed
As usual, I’ve excluded previous instances, focusing on emergent malware.
1. TR/Dropper.tfflr
TR/Droppe. tfflr is a trojan dropper, whose sole purpose is to drop (i.e., unpack) malicious files on the victim’s machine. The trojan’s can release various payloads, depending on the type of attack or surface. For instance, TR/Dropper.tfflr can be ‘outfitted’ with ransomware-type code, backdoors, various exploits, or even spyware.
2. LNK/Runner.VPEJ
Although technically a trojan, Runner.VPEJ has additional tricks up its sleeve. Endemic to hacking-related websites, LNK.Runner.VPEJ typically infects machines via spam email. Once the user interacts with the email’s malicious attachment, VPEJ springs to life and starts infecting files and folders. In most cases, Runner would tamper would the visibility attributes of files and folder, hiding them from the user.
3. TR/CoinMiner.uwtyu
A trojan with C2 capabilities. CoinMiner would infect a machine – typically via spam emails – and use a discretionary port in order to contact a hacker-owned address or resource for instructions.
4. TR/Crypt.XPACK.Gen2
Crypt.XPACK.Gen2 is a trojan outfitted with various payloads. In some of the observed instances, XPACK.GEN2 was found to carry ransomware components.
5. TR/Dropper.M
A Dropper.tfflr variant. The infectious mechanism is the same. See the above entry on TR/Dropper.tfflr for additional information.
6. TR/AD.DSpyware.ownotSIL.Gen2
AD.DSpyware is a trojan capable of dropping spyware or installing backdoors on the victim’s machine.
7. TR/CoinMiner.jpmln
CoinMiner.jpmln is a CoinMiner variant. Infectious mechanism and payload selection remain unchanged. Please see the above section on TR/CoinMiner.uwtyu for more details.
8. WORM/LNK.Verecno.Gen
LNK. Verecno. Gen is a trojan with worm-like features. Verecno’s usually transmitted through infected removable media or mapped (and shared) network drives. Once inside the victim’s machine, it will change Windows Registry values and seek other shared network resources to infect.
9. TR/Crypt.XPACK.Gen3
An XPACK.Gen2 variant. The infectious mechanism is the same. See above entry on Crypt.XPACK. Gen2 for additional information.
10. WORM/LNK.Lodbak.Gen
LNK.Lodback.Gen is a worm with limited destructive capabilities. Lodback.Gen is typically used in botnet activities.
11. TR/AD.Injector.nsnmc
AD.Injector is a trojan whose mandate is to inject potentially harmful adware-type software into the victim’s machine.
12. XF/Agent.B2
Agent.B2 is a trojan dropper. It typically installs backdoors on the infected machine.
Additional Cybersecurity Advice & Parting Thoughts
This about wraps up this month’s threat hunting edition. I hope you’ve enjoyed it as much as I did writing it. As usual, before I go, I’m going to share with you some of my favorite cybersecurity tips, tricks, hacks, and advice.
- Learn the signs. Some of the (more) common signs associated with malware infection are unresponsiveness, suspicious pop-ups, frequent freezing, and/or crashing.
- Keeping that AV up to date. Keep in mind that your antivirus does more than keep malware at bay. For instance, when combined with ransomware encryption protection software, it can actively protect your machine against illicit file encryption. Heimdal™ Security’s Next-Gen Antivirus & MDM combined with Ransomware Encryption Protection is the perfect combo, being capable of removing ransomware, viruses, worms, adware, and anything in between.
- Suspicious links and attachments. Since most of the above-mentioned malware moves around using emails, I would advise you to refrain from clicking on links or opening attachments from emails received from unknown or untrusted sources.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.