CIS Logo
tagline: Confidence in the Connected World

Top 10 Malware June 2018

June 2018 reversed the downward trend in notifications that started in March 2018. In the Top 10 Malware a significant increase in WannaCry and Emotet activity led to a 95% increase in Top 10 activity. This increase drove a 60% rise in total malware. In June 2018, malspam was the only vector to experience an increase in activity with the highest rates of infections over the last three months. From May to June, malspam experienced a 147% increase in activity, largely attributed to the sharp rise in WannaCry and Emotet infections.

The vector activity trends remained consistent in June with malspam showing the predominant activity. No Top 10 Malware used malvertising for the entire second quarter of the year. Zeus activity further declined in June, leading to a decrease in the multiple vector. Dropped vector activity sustained low activity levels throughout the quarter and experienced a decline in activity in June.

June 2018 Malware

 

June 2018 Infection Vector

 

The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

 

Dropped – Malware dropped by other malware already on the system or by an exploit kit.

Malvertisement – Malware introduced through a malicious advertisement.

Malspam – Unsolicited emails, which either direct users to download malware from malicious web sites or trick the user into opening malware through an attachment.

Multiple – Refers to malware that currently favors at least two vectors.

  1. WannaCry is a ransomware worm that uses the EternalBlue exploit to spread. Version 1.0 has a “killswitch” domain, which stops the encryption process. Later versions are not known to have a “killswitch” domain. WannaCry is disseminated via malspam.
  2. Emotet is a modular trojan that downloads or drops banking trojans. Initial infection occurs via malspam emails that contain malicious download links, a PDF with embedded links, or a macro-enabled Word attachment. Emotet incorporates five spreader modules in order to propagate throughout a network.
  3. Kovter is a click fraud trojan. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
  4. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code. ZeuS is disseminated in multiple ways, including being dropped by other malware, introduced via malvertisements, and sent via malspam.
  5. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  6. NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  7. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently six versions of Cerber and it has evolved specifically to evade detection by machine learning algorithms. Currently, v1 is the only version of Cerber for which a decryptor tool is available. Cerber is spread via malspam.
  8. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device.
  9. CoinMiner is a cryptocurrency miner that was initially disseminated via malvertising and is now primarily spread via malspam. Once a machine is infected, CoinMiner uses Windows Management Instrument (WMI) and EternalBlue to exploit SMB and spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
  10. Xtrat is a RAT that is delivered via malspam and has the capability to receive commands such as File Management (Download, Upload, and Execute Files), Registry Management (Add, Delete, Query, and Modify Registry), Perform Shell Command, Computer Control (Shutdown, Log on/off), and Screen capture.