Top 10 Malware May 2020

Top 10 Malware composition was fairly consistent with April 2020 with the exception of Modi, Mirai, and NSPPS. Overall, the Top 10 Malware variants composed 43% of Total Malware activity in May, down from 53% in April. It is highly likely that Dridex and ZeuS will continue to make up a significant portion of the Top 10 Malware.



In May 2020, malspam accounted for the greatest number of alerts. Activity levels for all vectors, except dropped, decreased. MS-ISAC observed two new malware variants, Modi and NSPSS, both of which are RATs. Additionally, we continue to see the worm Brambul, which is dropped by the RAT Joanap. CISA in 2018 assessed that both Brambul and Joanap  are associated with the CTA group Hidden Cobra. The ZeuS alerts account for activity within the multiple infection vector. Bolek, Cerber, Dridex, Modi, and NanoCore represent the malspam related infections for May 2020. Brambul, Gh0st, and Mirai are currently the only malware in the Top 10 whose primary initiation vector is dropped. NSPPS is currently the only Top 10 malware that uses the network initiation vector. There was no Top 10 malware activity this month that utilized malvertisement as a primary initiation vector. There is a high likelihood that malspam will remain the primary initiation vector for the Top 10 Malware due to the effectiveness of this method.

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently Brambul, Gh0st, and Mirai are being dropped.

Multiple – Malware that currently favors at least two vectors. ZeuS is currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique Bolek, Cerber, Dridex, Modi, and NanoCore.

Network – Malware introduced through the abuse of legitimate network protocols or tools, such as SMB protocol or remote PowerShell. NSPPS uses this vector

  1. Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.
  2. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  3. NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  4. Brambul is a worm that spreads via the SMB protocol by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates lists of random IP addresses for further external attacks. Brambul is dropped by the RAT Joanap. CISA in 2018 assessed that both Brambul and Joanap are associated with the CTA group Hidden Cobra.
  5. Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are currently six versions of Cerber, which evolved specifically to evade detection by machine learning algorithms. Currently, version 1 is the only version of Cerber for which a decryptor tool is available.
  6. Modi is a remote administration trojan.
  7. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
  8. NSPPS is a remote access trojan that is deployed to Citrix netscalers exploiting vulnerability CVE-2019-19781. This RAT disguises its self on the system by using a file name similar to the Netscaler Packet Processing Engine (NSPPE) process. The backdoor is used to load a coinminer.
  9. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  10. Bolek, aka Kbot, is a banking trojan known for its ability to quickly propagate throughout a network, such as via USB and network shares. Bolek has multiple modules that are used to steal banking and personal information, credentials, and exfiltrate files from systems.