CIS Logo
tagline: Confidence in the Connected World

Top Malware October 2018

October 2018 experienced a 20% decrease in new notifications and 24% decrease in new malware activity. The decrease in new notifications is attributed to a reduction in ColdFusion and Apache Struts exploitation attempts. The decrease in new malware activity is attributed to decreases in Emotet, Kovter, and WannaCry activity.

In October 2018, the dropped, multiple, malspam, and network vectors experienced a decrease in activity. Malspam continues to dominate as the primary infection vector with 60% of the Top 10 Malware being delivered by this method. The malspam category decreased due to reduced Emotet, WannaCry, and Kovter activity. Malware in the Top 10 Malware continue to not use malvertisement as a delivery mechanism. The multiple category decreased slightly due to a reduction in ZeuS activity. The dropped vector slightly decreased due to lowered Gh0st and Mirai activity. Activity associated with the network vector greatly decreased due to a reduced number of WannaCry infections.

 

october-2018-malware

 

october-infection-vectors

 

The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor.

Malvertisement – Malware introduced through a malicious advertisement.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

Network – Malware introduced through the abuse of legitimate network protocols or tools, such as SMB or remote PowerShell.

  1. Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In October 2018, Emotet was observed using a new module which exfiltrates email content
  2. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
  3. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  4. WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit a to spread via SMB. Version 1.0 has a “killswitch” domain, which stops the encryption process.
  5. NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  6. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device
  7. CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
  8. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  9. Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.
  10. Smoke Loader is distributed via malicious spam campaigns and is used to download additional pieces of malware post initial infection. After deployment Smoke Loader deletes the original executable in order to avoid detection. Additionally, the malware evades detection through the changing of its executable timestamp to avoid surfacing within recently modified files.