RoughTed Malvertising Peaks in June, According to Check Point’s Latest Global Threat Impact Index
July 2017 by Check Point
Check Point® Software Technologies Ltd. has revealed that 28% of organizations globally were affected by the RoughTed malvertising campaign during June, according to the company’s latest Global Threat Impact Index.
A large-scale malvertising campaign, RoughTed is used to deliver links to malicious websites and payloads such as scams, adware, exploit kits and ransomware. It began to spike in late May, before continuing to peak in June, impacting organizations in 150 countries. The most affected organisations by RoughTed were in the fields of communications, education, retail & wholesale. The malvertising related infection rates have spiked in recent months as attackers only have to compromise one online ad provider to reach a wide range of victims with little effort as there is no need to maintain a heavy distribution infrastructure for the malware.
Second placed Fireball, which impacted 20% of organizations in May, declined sharply and affected only 5% of businesses in June. The Slammer worm was the third most common variant, impacting 4% of organizations.
The most prevalent malware highlight the wide range of attack vectors and targets cyber-criminals are utilizing, impacting all stages of the infection chain. In contrast to RoughTed, Fireball takes over target browsers and turns them into zombies, which it can then use for a wide range of actions including dropping additional malware, or stealing valuable credentials, while Slammer is a memory resistant worm that can cause denial of service attacks.
This wide variety of attack vectors being utilized was reflected throughout the top ten common malware, which included the Cryptowall (4th) and Jaff (6th) ransomware, HackerDefender, a user mode root kit used to hide files, and Zeus (9th) a banking Trojan.
June 2017’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
1. ↑ RoughTed: Large-scale malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
2. ↓ Firebal: Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
3. ↑ Slammer: Memory resident worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
In mobile malware, Hummingbad was the most common form of malware and was closely followed by Hiddad and Lotoor:
Top 3 ‘Most Wanted’ mobile malware:
1. Hummingbad: Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
2. Hiddad : Android malware, which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
3. Lotoor : Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
“Throughout May and June organizations have been heavily focused on ensuring that they are protected against ransomware, in response to the high profile WannaCry and Petya attacks,” commented Maya Horowitz, Threat Intelligence, Group Manager at Check Point. “However the wide variety of attack vectors being utilized in this month’s index serves as a reminder to organizations that they need to ensure their security infrastructures robustly protect them against all tactics and methods used by cyber-criminals. Organizations in every industry sector need a multi-layered approach to their cybersecurity. Our SandBlast™ Zero-Day Protection and Mobile Threat Prevention, for example, protect against the widest range of continually evolving attack types, and also protect against zero-day malware variants.”
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.