December 2018’s Most Wanted Malware: Malware Downloader Climbs into Top 10 for First Time
January 2019 by Check Point
Check Point has published its latest Global Threat Index for December 2018. The index reveals that SmokeLoader, a second-stage downloader known to researchers since 2011, rose 11 places in December to enter the Index’s top 10 at ninth place. After a surge of activity in the Ukraine and Japan, its global impact grew by 20. SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker.
Cryptomining malware continues to lead the Index, with Coinhive retaining its number one position for the 13th month in a row and impacting 12% of organizations worldwide. XMRig was the second most prevalent malware with a global reach of 8%, closely followed by the JSEcoin miner in third with a global impact of 7%. Organizations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
The report also showed banking Trojans rising up the index, with Ramnit, a banking Trojan that steals login credentials and other sensitive data, returned to the top 10 this month in 8th place.
Maya Horowitz, Threat Intelligence and Research Group Manager at Check Point commented: “December’s report saw SmokeLoader appearing in the top 10 for the first time. Its sudden surge in prevalence reinforces the growing trend towards damaging, multi-purpose malware in the Global Threat Index, with the top 10 divided equally between cryptominers and malware that uses multiple methods to distribute numerous threats. The diversity of the malware in the Index means that it is critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”
December 2018’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
2. ↑ XMRig- Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
Triada, the modular backdoor for Android, has retained first place in the top mobile malware list. Guerilla has climbed to second place, replacing Hiddad. Meanwhile, Lotoor has replaced Android banking Trojan and info-stealer Lokibot in third place.
December’s Top 3 ‘Most Wanted’ Mobile Malware:
1. Triada - Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
2. Guerilla- Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.
3. Lotoor- Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
Check Point researchers also analyzed the most exploited cyber vulnerabilities. Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November. In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%.
December’s Top 3 ‘Most Exploited’ vulnerabilities:
1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↑ Web servers PHPMyAdmin Misconfiguration Code Injection - A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.