March 2018’s most wanted malware: Cryptomining malware that works outside the web browser on the rise, says Check Point
April 2018 by Check Point
Check Point has published its latest Global Threat Index for the month of March, revealing a surge of cryptomining malware attacks – specifically, an endpoint cryptomining malware known as the XMRig variant.
First seen in the wild in May 2017, XMRig entered Check Point’s top ten most wanted malware index (8th) for the first time during March 2018, after a 70% increase in global impact. By working on the end point device rather than the web browser itself, XMRig is able to mine the Monero cryptocurrency without needing an active web browser session on the victim’s computer.
“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” said Maya Horowitz, Threat Intelligence Group Manager at Check Point. “Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”
In March, Coinhive retained its most wanted spot for the fourth consecutive month impacting 18% of organizations, followed by the Rig EK Exploit Kit in second (17%) while the Cryptoloot miner was third (impacting 15%). XMRig was the 8th most common malware variant, impacting 5% of organizations.
March’s 2018’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
1. ↔ Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval
2. ↑ Rig EK - Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer.
3. ↑ Cryptoloot - Crypto-Miner that uses the victim’s CPU or GPU power and existing resources to add transactions to the blockchain and releasing new currency.
Lokibot, an Android banking Trojan which grants super user privileges to download malware, was the most popular malware used to attack organizations’ mobile estates followed by the Triada and Hiddad.
March’s Top 3 ‘Most Wanted’ mobile malware:
1. Lokibot - Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone.
2. Triada - Modular Backdoor for Android which grants superuser privileges to downloaded malware.
3. Hiddad- Android malware which repackages legitimate apps then releases them to a third-party store.
For the first time Check Point researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-10271 came first with a global impact of 26%, in second place was the SQL injection vulnerability impacting 19%, and in third place was CVE-2015-1635 with a global impact of 12% of organizations.
March’s Top 3 ‘Most Wanted’ vulnerabilities:
1. Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)- A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.
2. SQL Injection- Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
3. Microsoft Windows HTTP.sys Remote Code Execution (MS15-034: CVE-2015-1635)- A remote code execution vulnerability has been reported in Windows OS. The vulnerability is due to an error in the way HTTP.sys handles a malicious HTTP header. Successful exploitation would result in a remote code execution.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud draws upon a wide variety of intelligence feeds coming from advanced in-house malware and threat research, AI algorithms and automated processes, partnerships and open sources in order to deliver threat data and attack trends. As the world’s largest threat intelligence network, ThreatCloud detects hundreds of millions of malicious events a day, collecting information from over a hundred thousand gateways and millions of endpoints worldwide.