Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


Secure Your Organization

Secure Specific Platforms

U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers


Secure Your Organization


Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Top 10 Malware January 2019

Overall, malware activity increased 61% from December 2018 to January 2019. Top 10 Malware activity made up 52% of malware notifications sent, a decrease of 10% from December 2018. This is the first time Top 10 Malware activity accounts for less than 60% of total malware activity since December 2017. The shift in makeup is due to a multi-month decrease in activity by the most prolific malware: Emotet, WannaCry, and Kovter.




In January 2019, the dropped, multiple, and malspam categories experienced an increase in activity, while the network category experienced a decrease. Malspam is the primary infection vector in January, absorbing Emotet, Kovter, Dridex, and NanoCore activity. Activity associated with the network vector decreased as Brambul, an infostealer, did not make the Top 10 list. This leaves WannaCry as the only malware utilizing the network vector by abusing the Server Message Block (SMB) protocol. The multiple category increased slightly due to a rise in ZeuS activity. IcedID, Pushdo, Gh0st, and Mirai notifications sustained the dropped category’s elevated activity from the previous month.



The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

Network – Malware introduced through the abuse of legitimate network protocols or tools, such as SMB or remote PowerShell.

  1. Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In December 2018, Emotet was observed using a new module that exfiltrates email content.
  2. WannaCry is a ransomware cryptoworm using the EternalBlue exploit to spread via SMB protocol. Version 1.0 has a “killswitch” domain, which stops the encryption process.
  3. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
  4. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  5. Dridex is a malware banking variant that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns
  6. IcedID is a modular banking Trojan targeting banks, payment card providers, and payroll websites. IcedID utilizes the same distribution infrastructure as Emotet. The malware can monitor a victim’s online activity by setting up local proxies for traffic tunneling, employing web injection and redirection attacks. It propagates across a network by infecting terminal servers
  7. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device
  8. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  9. NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  10. Pushdo is a botnet that has been active since 2007 and operates as a service for malware and spam distribution. Pushdo is known to distribute the Cutwail spambot. The malware uses encrypted communication channels and domain generation algorithms to send instructions to its zombie hosts.