Heimdal™ returns with the May edition of our threat hunting journal. As you might have expected, king trojan reigns unhindered with over 16,000 positive detections. There are a couple of newcomers, some of which may give our uncrowned monarch a run for his money. Stick around for more information and goodies. Enjoy!
Top Malware(s) Detections: 1st of May – 27th of May
Throughout May, Heimdal™’s SOC team has detected 16 trojan variants, with a grand total of 16,738 positive detections – a 55.19% drop compared to April, when the historical high of 25,976 positive detections was recorded. Concerning distribution, we have 11 new newcomers and 20 backsliders. TR/Rozena/jrrvz raked the highest number of positive IDs (i.e., 2675), followed closely by TR/CoinMiner.uwtyu with 2316 positive IDs, and EXP/MS04-028.JPEG.A with 2280 hits. Here’s the full list of May detections.
| Malware Name | Positive Detections |
|---|---|
| TR/Rozena.jrrvz | 2675 |
| TR/CoinMiner.uwtyu | 2316 |
| EXP/MS04-028.JPEG.A | 2280 |
| TR/Rozena.rfuus | 1635 |
| TR/Trash.Gen | 1600 |
| TR/Patched.Gen | 1439 |
| TR/AD.GoCloudnet.kabtg | 1398 |
| EXP/CVE-2010-2568.A | 969 |
| TR/Downloader.Gen | 958 |
| TR/CoinMiner.wmstw | 919 |
| TR/PSInject.G1 | 916 |
| VBS/Dldr.Agent.VPET | 801 |
| W32/Run.Ramnit.C | 778 |
| TR/Dropper.Gen | 754 |
| ACAD/Bursted.AN | 698 |
| TR/Crypt.XPACK.Gen | 667 |
| TR/AD.Swotter.lckuu | 512 |
| W32/Floxif.hdc | 437 |
| ADWARE/ANDR.Boomp.FJAM.Gen | 383 |
| ACAD/Burste.K | 308 |
| TR/Crypt.XPACK.Gen2 | 295 |
| TR/Dropper.Gen5 | 269 |
| W32/Chir.B | 265 |
| WORM/Brontok.C | 224 |
| W32/Sality.Y | 214 |
| ADWARE/JsPopunder.G | 199 |
| W32/Parite | 199 |
| TR/AD.Swotter.fgqir | 195 |
| TR/Dropper.tfflr | 190 |
| EXP/PyShellCode.G | 182 |
Top 10 Malware Detailed
Let’s get around to covering those new detections.
TR/Trash.Gen
TR/Trash.Gen is trojan-type malware that’s usually contracted by visiting unsecured pornographic websites. Trash.Gen can install backdoors, ramp up CPU usage, and install adware.
TR/PSInject.G1
PSInject.G1 is PowerShell scrip-carrying trojan that accesses multiple comdlets such are new-object, out-null, test-path, where-object, write-output, and write-verbose.
VBS/Dldr.Agent.VPET
Dldr.Agent.VPET is a trojan downloader. It’s used to inject and execute malicious VBS scripts on the victim’s machine.
TR/AD.Swotter.lckuu
An adware-carrying trojan is used to collect host and network data from the infected machine.
ACAD/Burste.K
A ‘trojanized’ virus that affects ACAD .lsp files. Upon infection, the virus waits for user input in order to load the files.
TR/Dropper.Gen5
A trojan dropper used to install backdoors, deliver additional malware components or to eavesdrop on the victim.
WORM/Brontok.C
The .C variant of the Brontok worm. This malware’s distributed via email. Once inside the machine, it will create a new Windows Registry entry, disable regedit.exe, and modify several Windows Explorer settings.
W32/Sality.Y
The .Y variant of the Sality virus is used to install backdoors or connect the victim’s computer to a botnet.
ADWARE/JsPopunder.G
An adware-type malware. Can display malicious popups or ads on the affected machine.
Additional Cybersecurity Tips and Parting Thoughts
This concludes the May edition of Heimdal™ Security’s threat hunting journal. Before I go, I’m gonna share with you a couple of tips on how you can jog up your security.
- Scanning frequency. Don’t have any type of device-scanning policy in place? Well, now would be a good time to enforce one.
- Better AV protection. Some types of malware won’t show up on a regular AV scan. If so, I would encourage you to try out Heimdal™ Next-Gen AV & MDM, a solution than combines top-tier detection rates, brute-force detection & protection features, and more.
- Phishing. As you know, most malware’s transmitted via email. So, if it looks suspicious, it’s probably dangerous and should, therefore, not be opened.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.