CIS Logo
tagline: Confidence in the Connected World

Top 10 Malware of September 2017

In September 2017 notifications regarding the Top 10 Malware decreased by 13%, coinciding with a 19% decrease in all new malware infections, compared to August 2017. The Top 10 Malware made up approximately 53% of new malware infections reported by the MS-ISAC. Every month the MS-ISAC maps the Top 10 Malware to common infection vectors. This is done by using open source observations and reports on each malware type. The MS-ISAC observed a decrease in malspam in September due to a decrease in Emotet activity. There were also slight increases in dropped and malvertisement activity.

September Malware Amount

September Malware Vector

The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

Dropped – Malware dropped by other malware already on the system or by an exploit kit.

Malvertising – Malware introduced through a malicious advertisement.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

1. Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.

2. Emotet is a malware banking variant that uses malicious macros with either malicious embedded links or attachments. Emotet levels dropped for most of September, with a rise occurring at the end of September due to the start of a new campaign. This rise has continued into October. Emotet is disseminated via malspam campaigns. A recent evolution in functionality adds spreader modules to Emotet. This builds on a recent trend of adding propagation tools and techniques to ransomware that crimeware is adopting.

3. ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.

4. Ursnif and its variant Dreambot, are banking Trojans, known for weaponizing Word documents. Ursnif uses web injection to collect victim information from login pages and web forms. Ursnif is currently being delivered via malspam.

5. EITest is an exploit kit that injects a script that causes either a fake anti-virus alert or the fake HoeflerText popup to occur. The HoeflerText popup, if clicked, causes the user to download a NetSupport Manager RAT. EITest is delivered via malvertising.

6. DNSChanger is malware that was very prolific in the late 2000s and early 2010s, before being dismantled by an FBI takedown. A new variant was identified in December 2017, which reportedly acts as an exploit kit targeting routers. Once infected, the routers’ DNS records are modified to point to a malicious server. DNSChanger is disseminated via malvertising and uses steganography to obfuscate its initial actions.

7. PCRat/Gh0st is a Remote Access Trojan (RAT) used to control infected endpoints. PCRat is dropped by other malware to create a backdoor into a device to allow an attacker to fully control the infected device.

8. VirLock is a ransomware with virus capabilities that not only encrypts files but creates “.exe” virus loaded copies of infected files in the same directory. The most recent version can also spread through cloud sync, cloud storage, and collaboration applications.

9. Ponmocup is a downloader associated with one of the largest and longest-running botnets, active since 2006. Ponmocup is usually disseminated through an infected web page as a malvertisement.

10. Floxif is an information gathering backdoor Trojan that was primarily spread in September by an infected version of CCleaner. The MS-ISAC Cyber Alert regarding this supply chain compromise is available online here.