October’s Most Wanted Malware: Cryptocurrency Mining Presents New Threat

Check Point’s latest Global Threat Index has revealed crypto miners were an increasingly prevalent form of malware during October as organizations were targeted with the CoinHive variant

Crypto mining is emerging as a silent, yet significant, actor in the threat landscape, allowing threat actors to extract substantial profits while victims’ endpoints and networks suffer from latency and decreased performance. The emergence of Seamless and CoinHive once again highlights the breadth and depth of the challenges organizations face in securing their networks against cyber-criminals.

Following up on recent Check Point research that found that cryptocurrency miners can use up to 65% of an end users total CPU, the CoinHive variant entered the Index in 6th place last month. Without the user knowing or approving, the malware mines the Monero cryptocurrency whenever a user visits a web page. CoinHive is implanted via JavaScript, which then uses high levels of the end-users CPU and severely impacts the machine’s performance.

Continuing the trend from September, RoughTed and Locky remained the two most prevalent threats.  However, there was a new entry to the top three: the Seamless Traffic Distribution System (TDS). Seamless silently redirects the victim to a malicious web page, leading to infection by an exploit kit. Upon successful infection,  the attacker downloads additional malware to the target.

There is no doubt that this new form of malware is here to stay, highlights the need for advanced threat prevention technologies. This should involve a multi-layered cybersecurity strategy that protects against both established malware families and brand new, zero-day threats.

Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ RoughTed – a purveyor of ad-blocker aware malvertising responsible for a range of scams, exploits, and malware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  2. ↔ Locky – Ransomware, which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip attachment, then downloads and installs the malware that encrypts the user files.
  3. ↑ Seamless – Traffic Distribution System (TDS), which operates by silently redirecting the victim to a malicious web page, leading to infection by an exploit kit. Successful infection will allow the attacker to download additional malware from the target.
  4. ↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  5. ↑ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  6. ↑ CoinHive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s approval. The implanted JavaScript uses great computational resources of the end users’ machines to mine coins, thus impacting the performance of the system.
  7. ↑ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  8. ↓ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
  9. ↓ Pushdo – Trojan used to infect a system and then download the Cutwail spam module and can also be used to install additional third party malware.
  10. ↑ Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.

The most popular malware used to attack organizations’, mobile estates saw one change from September, with Android ransomware LeakerLocker appearing in 2nd place.

Top 3 ‘Most Wanted’ mobile malware:

  1. Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. LeakerLocker – Android ransomware that reads personal user data, and then presents it to the user and threatens to leak it online if ransom payments aren’t met.
  3. Hiddad – Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing the attacker to obtain sensitive user data.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime, which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html