CIS Logo
tagline: Confidence in the Connected World

Top 10 Malware of October 2017

In October 2017 notifications regarding the Top 10 Malware increased by 125%, coinciding with a 75% increase in all new malware infections, compared to September 2017. The Top 10 Malware made up approximately 67% of new malware infections reported by the MS-ISAC. Every month the MS-ISAC maps the Top 10 Malware to common infection vectors. This is done by using open source observations and reports on each malware type All Top 10 Malware infection vectors increased in October. Increases in malspam and malvertising were due to increases in Emotet and CoinMiner activity. Corebot led to an increase in dropped malware and Kovter led to a rise in the multiple category.

October 2017 Malware Amount

October 2017 Vector

The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

Dropped – Malware dropped by other malware already on the system or by an exploit kit.

Malvertising – Malware introduced through a malicious advertisement.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

  1. Emotet is a modular Trojan that downloads or drops banking Trojans. Initial infection occurs via malspam emails that contain either malicious download links, or PDF or macro-enabled Word attachments. Emotet incorporates spreader modules in order to propagate throughout a network. Currently, there are four known spreader modules: Outlook scraper, WebBrowserPassView, Mail PassView, and a credential enumerator. Emotet is known to download/drop the Pinkslipbot, Corebot, and Dridex banking Trojans.
    1. Outlook scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts;
    2. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes it to the credential enumerator module;
    3. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes it to the credential enumerator module;
    4. Credential enumerator: a self-extracting RAR file containing two components, a bypass, and a service component. The bypass component is used for enumeration of network resources and either find writable share drives or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk.
  2. Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
  3. CoinMiner is a cryptocurrency miner that is initially disseminated via malvertising. Once a machine is infected, CoinMiner uses Windows Management Instrument and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
  4. Corebot (aka Trickbot) is a banking Trojan responsible for man-in-the-browser attacks and uses webinject configurations to target financial institutions. It is historically disseminated as malspam via the Necurs botnet. Trickbot has recently added support for the EternalBlue exploit. Furthermore, like Emotet, Trickbot has added a spreader module that leverages Outlook to send itself to contacts.
  5. ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.
  6. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently 7 versions of Cerber currently being disseminated via spam campaigns and it has been reported by Trend Micro as evolving specifically to evade detection by machine learning algorithms. Currently, v1 is the only version of Cerber for which a decryptor tool is available.
  7. DNSChanger is malware that was very prolific in the late 2000s and early 2010s, before being dismantled by a FBI takedown. A new variant was identified in December 2016, which reportedly acts as an exploit kit targeting routers. Once infected, the routers’ DNS records are modified to point to a malicious server. DNSChanger is disseminated via malvertising and uses steganography to obfuscate its initial actions.
  8. VirLock (aka VirRansom) is a ransomware with virus capabilities that not only encrypts files but creates an .exe “copy” of the file in the same directory that is loaded with the virus. The most recent version can also spread through cloud sync, cloud storage, and collaboration applications.
  9. PCRat/Gh0st is a Remote Access Trojan (RAT) used to control infected endpoints. PCRat is dropped by other malware to create a backdoor into a device to allow an attacker to fully control the infected device.
  10. Tinba (aka Tiny Banker) is a banking Trojan, known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms and is primarily disseminated via exploit kits.