Top 10 Malware November 2020
In November 2020, malvertisement accounted for the greatest number of alerts. Malvertisement continues to be the top initial infection vector due to Shlayer. Shlayer returned to the Top 10 Malware after new evidence resulted in its reclassification as a Trojan Downloader, compared to an Adware Dropper. Activity levels for dropped increased, while activity for malspam and malvertisement fell. Although Shlayer activity continues to decrease, it is highly likely that malvertisement will remain the primary infection vector as the Shlayer campaign persists.
Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Gh0st, Mirai, Ngioweb, and Qakbot are the only malware being dropped.
Multiple – Malware that currently favors at least two vectors. Currently, ZeuS is the only malware utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.
Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include Agent Tesla, Dridex, Kovter, and Snugy.
Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.
Top 10 Malware and IOCs
Below are the Top 10 Malware ranked in order of prevalence. The respective Indicators of Compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants.
All Shlayer domains follow the same pattern <api.random_name.com>. Below area several examples of domains Shlayer uses.
Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
4. Agent Tesla
Agent Tesla is a RAT that exfiltrates credentials, logs keystrokes, and captures screenshots from an infected computer.
Snugy is a PowerShell-based backdoor that allows an attacker to obtain the system's hostname and to run commands. This backdoor communicates through a DNS tunneling channel on the compromised server.
Ngioweb is a proxy botnet that creates proxies on Linux hosts.
Has either of the below followed by 21 random numbers/letters and ending with =
Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
Qakbot is financial malware designed to target governments and businesses for financial fraud and known for its wormability on a network. Qakbot installs a keylogger to steal user credentials. It monitors network traffic, specifically traffic to online banking websites, and can piggyback on a user’s active banking session by intercepting authentication tokens. It is currently being dropped by Emotet.