Top 10 Malware June 2020

Top 10 Malware composition was fairly consistent through May 2020, with the exception of Quasar, SocGholish, and Ursnif. Overall, the Top 10 Malware variants composed 36% of Total Malware activity in June, down from 43% in May. It is highly likely that ZeuS and Dridex will continue to make up a significant portion of the Top 10 Malware due to widespread use of ZeuS source code and the complexity of the Dridex signature sets, as well as the effectiveness of malspam in the SLTT landscape.



In June 2020, malspam accounted for the greatest number of alerts. Activity levels for all vectors, except dropped and Malvertisement, decreased. MS-ISAC observed two new malware variants, SocGholish and Quasar, both of which are Remote Access Trojans (RATs). Malvertisement, which remained dormant since February 2019, reemerged due to SocGholish activity. ZeuS alerts accounted for activity within the multiple infection vector. Cerber, Dridex, Kovter, NanoCore, Quasar, and Ursnif represent the malspam related infections for June 2020. Gh0st and Mirai are currently the only malware in the Top 10 whose primary initiation vector is dropped. There is no Top 10 Malware activity this month utilizing network as a primary initiation vector. There is a high likelihood that malspam will remain the primary initiation vector for the Top 10 Malware due to the continued effectiveness of this method.


Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently Gh0st and Mirai are being dropped.

Multiple – Malware that currently favors at least two vectors. ZeuS is currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique Cerber Dridex, Kovter, NanoCore, Quasar, and Ursnif.

Malvertisement – Malware introduced through malicious advertisements. Currently, SocGholish is the only malware to use this technique.

  1. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
  2. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  3. SocGholish is a RAT and a banking trojan that uses fake Flash Updates to drop a NetSupport RAT payload. Recently, SocGholish has been used to drop WastedLocker ransomware, a new ransomware variant.
  4. Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
  5. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence
  6. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently six versions of Cerber, which evolved specifically to evade detection by machine learning algorithms. Currently, version 1 is the only version of Cerber for which a decryptor tool is available.
  7. Quasar is an open-source remote administration tool on the Windows Platform. It is used as a RAT to create backdoors.
  8. Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.
  9. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  10. NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.