CIS Logo
tagline: Confidence in the Connected World

Top 10 Malware November 2018

Overall malware activity remained steady from October to November 2018. Top 10 Malware activity made up 63% of malware notifications sent, an increase of one percent from October 2018 and continuing the 2018 trend of making up over 60% of overall malware activity. This is a reversal from 2017, where most of the year the Top 10 Malware made up under 60% of observed malware activity.


Although notifications related to 7 of the 10 malware types in the Top 10 Malware list decreased, this decline was offset by an increase in WannaCry notifications. WannaCry more than doubled with a 119% increase in activity. Spikes in WannaCry occur due to its virulent nature on networks susceptible to the EternalBlue exploit, which takes advantage of the Server Message Block (SMB) protocol.


In November 2018, the dropped, multiple, and malspam vectors experienced a decrease in activity. Malspam continues to dominate as the primary infection vector with 47% of the Top 10 Malware notifications being delivered by this method, even though the malspam category continued a three month decline. Activity associated with the network vector more than doubled due to increased WannaCry infections. The multiple category remained steady as ZeuS activity remains consistent. The dropped vector declined slightly though we continue to see steady Gh0st and Mirai activity.


  1. WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit to spread via SMB. Version 1.0 has a “killswitch” domain, which stops the encryption process.
  2. Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In October 2018, Emotet updated its Outlook scraper module to exfiltrate email content.
  3. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  4. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
  5. CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
  6. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  7. NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  8. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
  9. Smoke Loader is distributed via malicious spam campaigns and is used to download additional pieces of malware post initial infection. After deployment Smoke Loader deletes the original executable in order to avoid detection. Additionally, the malware evades detection through the changing of its executable timestamp to avoid surfacing within recently modified files.
  10. Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.