Top Malware Variants in 2022
Malware is a malicious and intrusive software that is designed to damage and destroy endpoints and computer systems. As an ever-broadening term, it represents a huge cyber threat across all environments. Due to the vastness of the subject, it is so important for security professionals to be constantly engaging in information-sharing regarding the most dangerous malware. The more knowledge we share, the better we can protect our environment and avoid business disruption. These are the top malware variants that are currently in the spotlight and are worth watching out for in the rest of 2022 and beyond.
Shlayer
Schlayer is a malvertisement. A malvertisement is malware that is introduced through malicious advertisements and is one of the top initial infection vectors, of which schlayer is one of the most prolific malvertisements currently used. Attackers are producing new ways to get this malware onto computers that largely hinge on social engineering attacks. Schlayer has been particularly successful in permeating much of the education sector.
The malware is a downloader and dropper for MacOS, primarily distributed through malicious websites, hijacked domains, and malvertising, posing as a fake Adobe Flash updater. In most cases, the fake Adobe Flash player update prompted users to install the malware. The malware, first introduced in 2018, has been the most common threat on the MacOS platform, with many attacks against users in the U.S (31%). There has also been evidence of links pointing to malware downloads in the descriptions of YouTube videos and the footnotes to Wikipedia articles.
Malicious links associated with Shlayer:
hxxp://80.82.77.84/.dmg
hxxp://sci-hub[.]tv
hxxp://kodak-world[.]com
Recently in August 2022, security firm hunters uncovered “several” active malware infections on the Black Hat conference network while helping to protect the infosec event’s Network Operations Center (NOC). One of the infections included Shlayer, fully compromising a victim’s macOS computer.
ZeuS
Zeus is a Trojan horse malware package, also known as ZBOT, that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. The strain has been used to steal hundreds of millions of dollars from bank accounts by secretly installing itself on a device of all different sizes throughout the United States and Europe. Once the desired credentials are obtained, Automated Clearing House(ACH) transfers are initiated, typically multiple to “mules” that have been recruited through work-at-home schemes. These mules usually are paid to take payments and move them along to the fraudsters while keeping a percentage of the transfer.
The source code has been publicly available since 2011, allowing for several variants to be developed. ZeuS and its spinoffs can be spotted all over the web, as notable variants such as Citadel, Gameover, and Atmos continue to remain in the current spotlight. The new variants emerging also can infect mobile operating systems.
NanoCore
NanoCore is a Remote Access Trojan(RAT), first discovered in 2013. It is now being spread through malspam campaigns, which utilize social engineering in which the email contains a fake bank payment receipt and request for quotation. The emails contain malicious attachments with either a .img or .iso extension. The malicious files are used by disk image files to store raw dumps of either magnetic disk or optical disc. Since its discovery in 2013, NanoCore has gone through multiple versions.
NanoCore gathers the following data and sends it to its servers:
- Browser’s usernames and passwords
- File Transfer Protocol (FTP) clients
- Email credentials of popular mail clients
NanoCore communicates to its C2 server over ports 6666 and 4782, moving the stolen data over. The stolen data is used to carry out various malicious activities, like manipulating confidential files and hijacking the webcam and microphone. The victims are then asked to pay a fee to get the stolen data back.
Gh0stCringe
Gh0stCringe, also called CirenegRAT, is a RAT that attacks targeting poorly protected Microsoft SQL and MySQL database servers with no oversight for credential harvesting and data exfiltration. First spotted in December 2018, the threat evolved from publicly released Gh0st RAT source code, then resurfaced in 2020 in China-linked cyber espionage attacks against governmental and corporate networks in the United States. The notorious Gh0st RAT was used by other malware to create a backdoor into a device that allows an attacker to control the infected device fully.
The majority of Gh0stCringe’s code is unique, vastly setting it apart from normal variants. The RAT smoothly connects to the C2 server to perform various malicious actions after accepting custom commands from the attacker. Keylogging, a feature to steal login credentials or other sensitive data, can operate by receiving a command or can be activated depending on the settings data. GhostCringe uses a specific keylogging technique of Windows Polling (using GetAsyncKeyState () API).
Besides keylogging, Gh0stCringe has various commands that can be received from the C2 server and performed by stealing saved data to the current clipboard, updating the malware, scanning whether a certain process is running, or connecting to a specific URL. Administrators should utilize difficult-to-guess passwords and change them periodically to protect the database server from brute force attacks.
RedLine
Redline is an information thief that targets popular browsers such as Chrome or Edge. It is available for purchase in cyber-crime forums or, most often, can be seen delivered through email campaigns. The malware was at its peak during the COVID-19 pandemic, as most campaigns used a COVID-19 tactic to deliver RedLine via a URL in email messages. Redline is also available for purchase in various forums, and the capabilities, targets, and campaigns vary based on the version purchased.
RedLine typically targets the ‘Login Data’ file found in all Chromium-based web browsers, where information such as credentials, cookies, and banking information are saved. Even if the infected computer has an anti-malware solution installed, it may fail to detect and remove this malware. Once collected, the stolen information can be utilized further to orchestrate new attacks or attempt to monetize it by selling it in the deep web markets.
The malware is written in C# and uses a SOAP API to establish communication with a C2 Server. The info stealer also has remote functionality, enabling it to download further malicious tools or deliver other additional programs. It is important to stay conscious of messages with embedded links or file attachments that could lead to the deployment of additional malicious programs.
Top Malware Variants Don’t Disappear
The top malware variants will constantly be changing and going in and out of use. It is important for cyber security professionals to be constantly sharing their knowledge. Here at BreachQuest, we are at the cutting edge of cyber security. From our Technically Speaking Posts (Windows Virtual Golden Image “Do’s and Don’ts”), our detailed research papers(The Conti Leaks: Insight into a Ransomware Unicorn), and general information (Simple Steps for Securing an Executives Home Office Cyber Security ), we will always be sharing our findings in our blog.