Top 10 Malware July 2018
Malware activity decreased in July 2018 by 20%, which was driven by the 36% drop in the Top 10 Malware due to its return to normal levels. The June 2018 Top 10 Malware spike was because of multiple outbreaks of WannaCry and Emotet in particular agencies. Although Emotet rose from second to first in the Top 10 Malware in July 2018, overall Emotet activity dropped by 30%. The MS-ISAC previously categorized using four initial infection vectors: malspam, malvertisement, dropped, multiple. In July 2018, the MS-ISAC added the “network” category as more malware continues to abuse network protocols and tools for propagation. Because WannaCry is disseminated over networks using the EternalBlue exploit, we moved it from the malspam category to network.
In July 2018, malspam, multiple, and dropped all experienced slight increases in activity. Malspam continued to dominate as the primary infection vector with half of the Top 10 Malware being delivered by this method. Malware in the Top 10 Malware continues not to use malvertisement. The multiple category increased due to Trickbot being delivered by Emotet as well as in its own malspam campaigns. This caused Trickbot to move from the dropped vector to multiple. The dropped vector remains steady with Gh0st and Xtrat remaining in the Top 10 Malware. The network vector dropped significantly due to a WannaCry outbreak occurring in June 2018 and no outbreak occurring in July 2018.
The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor.
Malvertisement – Malware introduced through a malicious advertisement.
Multiple – Refers to malware that currently favors at least two vectors.
Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.
Network – Malware introduced through the abuse of legitimate network protocols or tools, such as SMB or remote PowerShell.
- Emotet is a modular trojan that downloads or drops banking trojans. Initial infection occurs via malspam emails that contain malicious download links, a PDF with embedded links, or a macro-enabled Word attachment. Emotet incorporates five spreader modules in order to propagate throughout a network.
- Kovter is a click fraud trojan. It is disseminated via malspam email attachments containing malicious office macros. Kovter is a fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
- ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code. ZeuS is disseminated in multiple ways, including being dropped by other malware, introduced via malvertisements, and sent via malspam.
- NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
- Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently six versions of Cerber and it has evolved specifically to evade detection by machine learning algorithms. Currently, v1 is the only version of Cerber for which a decryptor tool is available. Cerber is spread via malspam.
- Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device.
- CoinMiner is a cryptocurrency miner that was initially disseminated via malvertising and is now primarily spread via malspam. Once a machine is infected, CoinMiner uses Windows Management Instrument (WMI) and EternalBlue to exploit SMB and spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
- Trickbot is a modular banking trojan that is known to be dropped by Emotet as well as spread via malspam campaigns. Trickbot is known to download the IcedID banking trojan. Trickbot is currently being dropped by Emotet as well as being disseminated in its own malspam campaigns.
- WannaCry is a ransomware worm that uses the EternalBlue exploit to spread. Version 1.0 has a “killswitch” domain, which stops the encryption process. Later versions are not known to have a “killswitch” domain. WannaCry is disseminated over networks using the EternalBlue exploit.
- Xtrat is a RAT that is delivered via malspam and has the capability to receive commands such as file management (download, upload, and execute files), registry management (add, delete, query, and modify registry), perform shell command, computer control (shutdown, log on/off), and screen capture.