CYBERSECURITY PADAWAN

Heimdal™ returns with the May edition of our threat hunting journal. As you might have expected, king trojan reigns unhindered with over 16,000 positive detections. There are a couple of newcomers, some of which may give our uncrowned monarch a run for his money. Stick around for more information and goodies. Enjoy!

Top Malware(s) Detections: 1st of May – 27th of May

Throughout May, Heimdal™’s SOC team has detected 16 trojan variants, with a grand total of 16,738 positive detections – a 55.19% drop compared to April, when the historical high of 25,976 positive detections was recorded. Concerning distribution, we have 11 new newcomers and 20 backsliders. TR/Rozena/jrrvz raked the highest number of positive IDs (i.e., 2675), followed closely by TR/CoinMiner.uwtyu with 2316 positive IDs, and EXP/MS04-028.JPEG.A with 2280 hits. Here’s the full list of May detections.

Malware NamePositive Detections
TR/Rozena.jrrvz2675
TR/CoinMiner.uwtyu2316
EXP/MS04-028.JPEG.A2280
TR/Rozena.rfuus1635
TR/Trash.Gen1600
TR/Patched.Gen1439
TR/AD.GoCloudnet.kabtg1398
EXP/CVE-2010-2568.A969
TR/Downloader.Gen958
TR/CoinMiner.wmstw919
TR/PSInject.G1916
VBS/Dldr.Agent.VPET801
W32/Run.Ramnit.C778
TR/Dropper.Gen754
ACAD/Bursted.AN698
TR/Crypt.XPACK.Gen667
TR/AD.Swotter.lckuu512
W32/Floxif.hdc437
ADWARE/ANDR.Boomp.FJAM.Gen383
ACAD/Burste.K308
TR/Crypt.XPACK.Gen2295
TR/Dropper.Gen5269
W32/Chir.B265
WORM/Brontok.C224
W32/Sality.Y214
ADWARE/JsPopunder.G199
W32/Parite199
TR/AD.Swotter.fgqir195
TR/Dropper.tfflr190
EXP/PyShellCode.G182

Top 10 Malware Detailed

Let’s get around to covering those new detections.

TR/Trash.Gen

TR/Trash.Gen is trojan-type malware that’s usually contracted by visiting unsecured pornographic websites. Trash.Gen can install backdoors, ramp up CPU usage, and install adware.

TR/PSInject.G1

PSInject.G1 is PowerShell scrip-carrying trojan that accesses multiple comdlets such are new-object, out-null, test-path, where-object, write-output, and write-verbose.

VBS/Dldr.Agent.VPET

Dldr.Agent.VPET is a trojan downloader. It’s used to inject and execute malicious VBS scripts on the victim’s machine.

TR/AD.Swotter.lckuu

An adware-carrying trojan is used to collect host and network data from the infected machine.

ACAD/Burste.K

A ‘trojanized’ virus that affects ACAD .lsp files. Upon infection, the virus waits for user input in order to load the files.

TR/Dropper.Gen5

A trojan dropper used to install backdoors, deliver additional malware components or to eavesdrop on the victim.

WORM/Brontok.C

The .C variant of the Brontok worm. This malware’s distributed via email. Once inside the machine, it will create a new Windows Registry entry, disable regedit.exe, and modify several Windows Explorer settings.

W32/Sality.Y

The .Y variant of the Sality virus is used to install backdoors or connect the victim’s computer to a botnet.

ADWARE/JsPopunder.G

An adware-type malware. Can display malicious popups or ads on the affected machine.

Additional Cybersecurity Tips and Parting Thoughts

This concludes the May edition of Heimdal™ Security’s threat hunting journal. Before I go, I’m gonna share with you a couple of tips on how you can jog up your security.

  • Scanning frequency. Don’t have any type of device-scanning policy in place? Well, now would be a good time to enforce one.
  • Better AV protection. Some types of malware won’t show up on a regular AV scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
  • Phishing. As you know, most malware’s transmitted via email. So, if it looks suspicious, it’s probably dangerous and should, therefore, not be opened.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Threat-Hunting Journal April 2022 – Easter Edition

Threat Hunting Journal – March 2022 E.O.M Edition

Heimdal CyberSecurity & Threat Intelligence Report 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP