March’s ‘Most Wanted’ Malware List: Exploit Kits Rise Again in Popularity

Old malware rarely dies:  it just lies dormant for a while.  This was one of the key findings of the Check Point Research Team’s latest Global Threat Impact Index, which saw a surge in the usage of Exploit Kits during March, following a steady decline in usage since a high point in May 2016.

Exploit Kits are designed to discover and exploit vulnerabilities on machines in order to download and execute further malicious code.  The leading variants were Angler and Nuclear, and their demise saw Exploit Kits fall out of the leading malware used to launch attacks on organizations worldwide.

However, in March, the Rig Exploit Kit shot up the rankings, being the second most prevalent global malware throughout the month. The Terror Exploit Kit also increased dramatically in usage in March, and was just one place from making it into the monthly top 10 list.  Both variants have been used to deliver a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners.

This dramatic resurgence underlines how important it is to remain vigilant to a broad spread of threats and attack vectors, even those that appear to have fallen out of general usage.

Overall, the most common malware in March were HackerDefender and Rig EK in first and second place, each impacting 5% of organizations worldwide, followed by Conficker and Cryptowall, each impacting 4% of organizations worldwide.

March 2017’s Top 10 ‘Most Wanted’ Malware were:

*The arrows relate to the change in rank compared to the previous month.

  1. ↑ HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  2. ↑ Rig EK – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
  3. ↑ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  4. ↓ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  5. ↑ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  6. ↑ Pykspa – Worm that spreads itself by sending instant messages to contacts on Skype. It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).
  7. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  8. ↓ Hancitor – Downloader used to install malicious payloads (such as Banking Trojans and Ransomware) on infected machines. Also known as Chanitor, Hancitor is usually delivered as a macro enables Office document in Phishing emails with “important” messages such as voicemails, faxes or invoices.
  9. ↑ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
  10. ↑ Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.


In mobile malware, the top two families remained the same as in February, while Ztorg climbed back to the top three.


The Top 3 ‘Most Wanted’ mobile malware in March were:

  1. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  3. Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user’s knowledge.


The wide range of threats seen during the past month utilize all available tactics in the infection chain to try and gain a foothold on enterprise networks.  To counter this range of exploits, organizations need advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, such as Check Point’s SandBlast™ Zero-Day Protection and Mobile Threat Prevention solutions, to ensure that they are secured.  Stay tuned for the April Global Threat Impact Index!


The map below displays the risk index globally (green – low risk, red- high risk, white – insufficient data), demonstrating the main risk areas around the world.