Top 10 Malware of April 2017
The top 10 malware listed below were responsible for approximately 56% of all new malware infections reported by the MS-ISAC in April. This was an increase of almost eight percentage points from March and continues an upward trend since it bottomed out in January to 43%.
Every month the MS-ISAC maps the Top 10 Malware to infection vectors. This is done by using open source observations and reports on each malware type. The MS-ISAC observed a continued increase in spam and malware droppers, while malvertising continued to decline.
Top 10 Malware Descriptions
- Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. Recently, it is disseminated via spam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Reports indicate that Kovter has received updated instructions from command and control infrastructure to serve as a remote access backdoor.
- ZeuS/Zbot is a banking Trojan which uses keystroke logging to compromise victim credentials when a user visits a banking website. Since the release of the ZeuS source code in 2011, many malware variants have adopted parts of its code, meaning that events classified as ZeuS may actually be other malware using parts of the ZeuS code. The widespread use of ZeuS has led to multiple vectors being used for distribution.
- Tinba, also known as Tiny Banker, is a banking Trojan, known for its small file size. Tinba uses web injection to collect victim information from login pages and web forms, and is primarily disseminated via exploit kits.
- Fleercivet is a click fraud Trojan that injects code into Internet Explorer, Firefox, and Opera in order to generate revenue from advertisements. Fleercivet is dropped by malware downloaders and drive-by downloads.
- Virut is a polymorphic virus that mostly infects executable files and has worm-like behavior. Virut spreads by copying itself to hard drives and opening up a back door on the compromised device. Virut is disseminated via malvertising.
- DNSChanger is malware that was very prolific in the late 2000s and early 2010s, before being dismantled by a Federal Bureau of Investigation (FBI) takedown. Researchers identified a new variant in December 2017, which reportedly acts as an exploit kit targeting routers. Once infected, the malware modifies the routers’ DNS records to point to a malicious server. DNSChanger is disseminated via malvertising and uses steganography to obfuscate its initial actions.
- Dridex is a malware banking variant that uses malicious macros with either malicious embedded links or attachments. Dridex is disseminated via spam campaigns.
- Ponmocup is a downloader associated with one of the largest and longest running botnets, active since 2006. Ponmocup is usually disseminated through an infected webpage as a malvertisement.
- Cerber is an evasive ransomware that is capable of encrypting files in offline mode and is known for fully renaming files and appending them with a random extension. There are five versions of Cerber currently being disseminated via spam campaigns. Trend Micro has reported Cerber evolving specifically to evade detection by machine learning algorithms. Currently v1 is the only version of Cerber that has a decryption tool.
- PCRat/Gh0st is downloader malware disseminated via phishing emails containing a malicious attachment with a macro and is known to obfuscate itself using PowerShell commands.