CIS Logo
tagline: Confidence in the Connected World
HomeResourcesBlog postTop 10 Malware November 2017

Top 10 Malware November 2017

In November 2017 notifications regarding the Top 10 Malware decreased by 41%, coinciding with an overall 45% decrease in all new malware infections, compared to October 2017. The Top 10 Malware made up 72% of all new malware infections reported by the MS-ISAC in November. This is five percentage points higher than the Top 10 Malware accounted for in October 2017, continuing a rising trend since July 2017. Every month the MS-ISAC maps the Top 10 Malware to common infection vectors. This is done by using open source observations and reports on each malware type. The Malspam vector increased slightly and the Multiple vector decreased significantly in November, due to Kovter’s vector returning from Multiple to Malspam. Kovter’s brief change to Multiple was due to a Kovter malvertising campaign observed in October 2017. The drop in Malvertising is due to a decrease in CoinMiner.

Top 10 Malware Nov 2017

Top 10 Malware Infection Vectors

The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

Dropped – Malware dropped by other malware already on the system or by an exploit kit.

Malvertising – Malware introduced through a malicious advertisement.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

  1. Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is a fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
  2. Emotet is a modular Trojan that downloads or drops banking Trojans. Initial infection occurs via malspam emails that contain malicious download links, a PDF with embedded links, or a macro-enabled Word attachment. Emotet incorporates spreader modules in order to propagate throughout a network. Emotet is known to download/drop the Pinkslipbot and Dridex banking Trojans. Currently, there are four known spreader modules: Outlook scraper, WebBrowserPassView, Mail PassView, and a credential enumerator.
    1. Outlook Scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out phishing emails from the compromised account;
    2. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module;
    3. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module;
    4. Credential Enumerator: a self-extracting RAR file containing a bypass and a service component. The bypass component is used for enumeration of network resources and either finda writable share drives or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk.
  3. CoinMiner is a cryptocurrency miner that was initially disseminated via malvertising. Once a machine is infected, CoinMiner uses Windows Management Instrument (WMI) and EternalBlue to exploit SMB and spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
  4. ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.
  5. Ramnit is an evolving, persistent banking Trojan that emerged in 2010 as a worm and evolved into a banking Trojan by using the exposed Zeus source code. A partial takedown of the Ramnit infrastructure occurred in 2015. Ramnit targets online banking sessions, as well as gather credentials from infected users, and is currently being dropped by the RIG Exploit Kit.
  6. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently 7 versions of Cerber being disseminated via malspam campaigns and it has been reported by Trend Micro as evolving specifically to evade detection by machine learning algorithms. Currently, v1 is the only version of Cerber for which a decryptor tool is available.
  7. MyDoom is a botnet Trojan that conducts DoS attacks. MyDoom’s initial infection vector is malspam sent as a malicious attachment. MyDoom was first observed in 2004. MyDoom targets and after initial infection, spreads via SMTP services.
  8. PCRat/Gh0st is a Remote Access Trojan (RAT) used to control infected endpoints. PCRat is dropped by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device.
  9. Loki Bot is a banking Trojan that is sent as a malicious attachment via malspam. Recent Loki Bot campaigns have been using .iso attachments labeled as a “payment document” to distribute the malware. Loki Bot is a login credential stealer.
  10. Ursnif is a banking Trojan known for weaponizing documents delivered via malspam. Ursnif recently upgraded its web injection attacks. Ursnif collects victim information from login pages and web forms.