Hancitor Makes First Appearance in Top Five ‘Most Wanted’ Malware in Check Point’s February Global Threat Impact Index

Hancitor has surged into the top five of our ‘most wanted’ malware families worldwide for the first time, according to the new February Global Threat Impact Index from our Threat Intelligence Research Team.

The downloader, which installs malicious payloads such as Banking Trojans and ransomware on infected machines, climbed 22 places after more than tripling its global impact in the past month. Also known as Chanitor, Hancitor is usually delivered as a macro-enabled Office document in phishing emails with “important” messages such as voicemails, faxes or invoices. The index ranked Kelihos, a botnet used in spam campaigns, as the most prevalent malware family overall, with 12% of organizations globally impacted by it.

Having been active since 2010, the resilient Kelihos has evolved from a ‘pump and dump’ spam campaign into a botnet-for-hire, sending spam for anyone willing to pay. Despite being taken down in 2011 and again a year later, it has continued to resurface, culminating in the botnet growing by more than three times in just two days last August. Today, Kelihos continues to grow as one of the most prominent distributors of spam in the world, with over 300,000 infected machines, each capable of sending more than 200,000 emails a day.

Overall the top 10 malware families revealed that hackers were using a wide range of attack vectors and tactics to target businesses. These threats impact all steps of the infection chain, including spam emails, which are spread by botnets, and contain downloaders that eventually place ransomware or a Trojan on the victim’s machine.

The top three most common malware in February were Kelihos in first, impacting 12% of organizations, followed by HackerDefender, impacting 5% and Cryptowall which affected 4.5% of businesses globally.

February 2017’s Top 10 ‘Most Wanted’ Malware:

  1. Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server.
  2. HackerDefender – User-mode rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  4. Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  5. Hancitor – Downloader used to install malicious payloads (such as Banking Trojans and Ransomware) on infected machines. Also known as Chanitor, Hancitor is usually delivered as a macro-enabled Office document in phishing emails with “important” messages such as voicemails, faxes or invoices.
  6. Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  7. RookieUA – Infostealer designed to extract user account information such as logins and passwords and send them to a remote server.
  8. Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  9. Fareit – Trojan used to steal sensitive information such as user names and passwords stored in web browsers, as well as email and FTP credentials.
  10. Pykspa – Worm that spreads itself by sending instant messages to contacts on Skype. It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).


In mobile malware, Hiddad moved up from third in January to become the most active, followed by Hummingbad and last month’s leader Triada in second and third place, respectively.

 Top 3 ‘Most Wanted’ mobile malware:

  1. Hiddad – Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  3. Triada – Modular backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.


The speed in which some forms of malware grew during February highlights the challenges faced by IT departments worldwide. It is imperative organizations are sufficiently equipped to deal with the ever-increasing number of threats by adopting advanced security systems across their entire business network such as Check Point’s SandBlast™ Zero-Day Protection and Mobile Threat Prevention. Stay tuned for the March Global Threat Impact Index.