Heimdal ™ Our threat is back with the May edition of the victim journal. As you might have expected, King Trojan reigns unhindered with over 16,000 positive identities. There are a few newcomers out there, some of whom might even make our uncrowned king run for his money. Stay tuned for more information and goodies. Enjoy!
Top Malware (s) Detection: 1st May – 27M May’s
Throughout the month of May, Heimdal ™’s SOC team identified 16 Trojan variants, with a total of 16,738 positive detections – a 55.19% decrease compared to April, when a historic high of 25,976 positive detections was recorded. In terms of distribution, we have 11 new ones and 20 backsliders. TR / Rozena / jrrvz racked the highest number of positive IDs (i.e., 2675), followed by TR / CoinMiner.uwtyu with 2316 positive IDs and EXP / MS04-028.JPEG.A with 2280 hits. Here is the complete list of May detections.
|The name of the malware||Positive identification|
|TR / Rozena.jrrvz||2675|
|TR / CoinMiner.uwtyu||2316|
|EXP / MS04-028.JPEG.A||2280|
|TR / Rozena.rfuus||1635|
|TR / Trash.Zen||1600|
|TR / Patched.Zen||1439|
|TR / AD.GoCloudnet.kabtg||1398|
|EXP / CVE-2010-2568.A||969|
|TR / Downloader.Gen||958|
|TR / CoinMiner.wmstw||919|
|TR / PSInject.G1||916|
|VBS / Dldr.Agent.VPET||801|
|W32 / Run.Ramnit.C||778|
|TR / Dropper.Jenner||754|
|ACAD / Bursted.AN||698|
|TR / Crypt.XPACK.Gen||667|
|TR / AD.Swotter.lckuu||512|
|W32 / Floxif.hdc||437|
|ADWARE / ANDR.Bomp.FJAM.Gen||383|
|ACAD / Burste.K||308|
|TR / Crypt.XPACK.Gen2||295|
|TR / dropper.Gen5||269|
|W32 / Chir.B||265|
|WORM / Brontok.C||224|
|W32 / Sality.Y||214|
|Adware / jspounder.g||199|
|W32 / can||199|
|TR / AD.Swotter.fgqir||195|
|TR / Dropper.tfflr||190|
|EXP / PyShellCode.G||182|
Top 10 Malware Details
Let’s turn to cover those new identities
TR / Trash.Zen
TR / Trash.Gen is a Trojan-type malware that is usually compressed by visiting unsafe pornographic websites. Trash.Gen can install backdoors, increase CPU usage, and install adware.
TR / PSInject.G1
PSInject.G1 is a PowerShell scrip-carrying Trojan that accesses multiple commands such as new-object, out-null, test-path, where-object, right-output, and right-verbos.
VBS / Dldr.Agent.VPET
Dldr.Agent.VPET is a Trojan downloader. It is used to inject and execute malicious VBS scripts on hunting machines.
TR / AD.Swotter.lckuu
An adware-carrying Trojan is used to collect host and network data from infected machines.
ACAD / Burste.K
A ‘Trojanized’ virus that infects the ACAD .lsp file. After infection, the virus waits for user input to load the files.
TR / dropper.Gen5
A Trojan dropper is used to install backdoors, provide additional malware material, or listen to victims.
WORM / Brontok.C
.C form of Brontak worms. This malware has been distributed via email. Once inside the machine, it will create a new Windows registry entry, disable regedit.exe and change several Windows Explorer settings.
W32 / Sality.Y
The .Y version of the salinity virus is used to install backdoors or to connect the victim’s computer to a botnet.
Adware / jspounder.g
An adware-type malware. May display malicious popups or ads on affected machines.
Additional cybersecurity tips and separation thoughts
This marks the end of the May issue of Heimdal শিকার a security threat journal. Before I go, I’ll share with you a few tips on how you can increase your security.
- Scanning frequency. No device-scanning policy? Well, now would be a good time to do one.
- Improved AV protection. Some types of malware do not appear on regular AV scans. If so, I’d encourage you to give it a try Himdal ™ Next-Gen AV and MDMA solution rather than a combination of top-level detection rates, brute-force detection and security features, and more.
- Phishing. You know, most malware is sent via email. So, if it seems suspicious, it is probably dangerous and therefore should not be opened.