Top 10 Malware of December 2017
In December 2017 notifications regarding the Top 10 Malware decreased by 23%, inversely corresponding to an overall 14% increase in all new malware infections, compared to November 2017. The Top 10 Malware made up 49% of all new malware infections reported by the MS-ISAC in December. This is 23 percentage points lower than the Top 10 Malware accounted for in November 2017, and reverses the upward trend that was occurring in the latter half of 2017. Every month the MS-ISAC maps the Top 10 Malware to common infection vectors. This is done by using open source observations and reports on each malware type. The malspam vector decreased by 27% and the malvertising vector dropped by 21%. The dropped vector decreased by 21% and the multiple vector increased by 22% in December 2017. Throughout 2017, the MS-ISAC has observed slight decreases in dropped and malvertising vectors while simultaneously seeing the malspam vector more than double.
The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).
Dropped – Malware dropped by other malware already on the system or by an exploit kit.
Malvertising – Malware introduced through a malicious advertisement.
Multiple – Refers to malware that currently favors at least two vectors.
Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.
- Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
- CoinMiner is a cryptocurrency miner that was initially disseminated via malvertising. Once a machine is infected, CoinMiner uses Windows Management Instrument (WMI) and EternalBlue to exploit SMB and spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
- Emotet is a modular Trojan that downloads or drops banking Trojans. Initial infection occurs via malspam emails that contain malicious download links, a PDF with embedded links, or a macro-enabled Word attachment. Emotet incorporates spreader modules in order to propagate throughout a network. Emotet is known to download/drop the Pinkslipbot and Dridex banking Trojans. Currently, there are four known spreader modules: Outlook scraper, WebBrowserPassView, Mail PassView, and a credential enumerator.
- Outlook Scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out phishing emails from the compromised account;
- WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module;
- Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module;
- Credential Enumerator: a self-extracting RAR file containing a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk.
- ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.
- NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, as well as add Registry keys for persistence.
- Sharik is a trojan downloader spread via malspam as a malicious Word document. Recent campaigns have mimicked password protected resumes with the passwords in the body of the email. In recent campaigns, Sharik has been downloading variants of Zeus as well as Neutrino Exploit Kit.
- Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms
- Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device.
- LatentBot is a modular trojan that also acts as a botnet agent. It is able to download additional modules once a system is infected, including keyloggers and form grabbers. Recently it has been dropped by the RIG Exploit Kit.
- Pushdo is a trojan downloader that is known to download the Cutwail spam module. Pushdo is also able to download any other type of malware and it is currently being dropped by RIG Exploit Kit.