CIS Logo
tagline: Confidence in the Connected World

Top 10 Malware July 2019

The identified malware variants remain mostly consistent with June 2019, with the exception of the return of Cerber and Brambul activity. Top 10 malware activity accounted for 66% of total malware activity, a 3% increase over June. The proportion of top 10 malware to total malware remains above 60% since April 2019. This indicates a few highly-prolific trojans are driving the trends in malware activity. Trickbot infections account for nearly half of all malware infections. This level of Trickbot activity is consistent with the June 2019.Malware-Notifications-July-2019



In July 2019, malware utilizing multiple initiation vectors accounted for the greatest number of alerts in the Top 10 Malware list. Trickbot infections accounted for the rise in activity within the multiple category over the last 3 months. The significant decrease in the dropped vector is due to the decline in WannaCry activity. After February 2019, the malvertisement vector returned to its previous levels of non-activity, as no malware using this vector made it into the Top 10. In May 2019, the MS-ISAC disabled some duplicate and low confidence signatures associated with WannaCry, resulting in a decrease in alerts. Activity levels returned to low beginning in June 2019.


Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently, Gh0st is being dropped.

Multiple – Malware that currently favors at least two vectors. ZeuS, CoinMiner, and Trickbot are currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement. CoinMiner utilizes the malspam and dropped vectors. Trickbot is dropped by Emotet and also delivered via malspam.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include NanoCore, Kovter, Dridex, and Cerber.

Network – Malware introduced through the abuse of legitimate network protocols or tools, such as SMB protocol or remote PowerShell. WannaCry and Brambul use this vector.

Malvertisement – Malware introduced through malicious advertisements. Shlayer, a MacOS trojan, is the first malware since June 2018 to rely on this vector within the Top 10 Malware list.


  1. Trickbot is a modular banking trojan that is known to be dropped by Emotet as well as spread via malspam campaigns. Trickbot is also known to download the IcedID banking trojan.Gh0st
  2. Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
  3. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which indicates events classified as ZeuS may be other malware using parts of ZeuS source code.
  4. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter maintains backdoor capabilities and uses hooks within certain Application Programming Interfaces (API) for persistence.
  5. Brambul is a system information harvester that spreads via the SMB protocol by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates lists of random IP addresses for further external attacks.
  6. NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  7. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
  8. WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit to spread via SMB protocol. WannaCry has a “killswitch” domain, which stops the encryption process.
  9. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently six versions of Cerber, which evolved specifically to evade detection by machine learning algorithms. Currently, version 1 is the only version of Cerber for which a decryptor tool is available.
  10. CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.