September 2018’s Most Wanted Malware: Cryptomining Attacks Against Apple Devices On The Rise

Check Point’s latest Global Threat Index reveals a near four-fold increase in cryptomining malware targeting iPhone users

 

Check Point’s researchers detected a near-400% increase in crypto-mining malware attacks against iPhones. The surge was seen in the last two weeks of September, when attacks against users of the Safari browser also rose significantly. These attacks used the Coinhive mining malware, which has been at the number one position in the Index since December 2017, having emerged one year ago in September 2017.

 

Crypto-mining continues to be the dominant threat facing organizations across the world. The attacks on Apple devices are not using any new functionalities. The reason behind the increase is not yet known, but serves to remind us that mobile devices are an often-overlooked element of an organization’s attack surface. It’s critical that mobile devices are protected with a comprehensive threat prevention solution, to stop them being the weak point in corporate security defenses.

 

Coinhive now impacts 19% of organizations worldwide, and once again crypto miners dominated the threat index. Meanwhile, Dorkbot – the trojan that steals sensitive information and launches denial-of-service attacks, remained in second place with a global impact of 7%.

 

September 2018’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

 

  1. ↔ Coinhive – Crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses a great deal of the computational resources of end users’ machines to mine coins, and may crash the system.
  2. Dorkbot- the worm designed to allow remote code execution as well as downloading an additional malware to the infected system.
  3. ↑ Cryptoloot – Crypto-miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a lower percentage of revenue from websites.
  4.     ↔ Andromeda – A modular bot used mainly as a backdoor to deliver additional malware on infected hosts that can be modified to create different types of botnets.
  5. ↔ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  6. ↑ Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  7. ↓ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  8. ↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in-the-wild on May 2017.
  9. ↔ Conficker – A worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  10. ↑ Emotet – Emotet is a Trojan that targets the Windows platform. This malware sends out system information to multiple control servers and can download configuration files and other components. It, reportedly, targets customers of certain banks and hooks various APIs to monitor and log network traffic. The malware creates a Run key registry entry in order to get started after system reboots.

 

Once again, Lokibot, an Android banking Trojan and info-stealer, was the most popular malware used to attack organizations’ mobile estates followed by the Lotoor and Triada.

 

September’s Top 3 ‘Most Wanted’ mobile malware:

  1. Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
  2. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  3. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

 

Check Point researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is the most popular exploited vulnerability for the 7th consecutive with global impact of 48% of organizations. In second place w CVE-2016-6309 with a global impact of 43%, closely followed by Web servers PHPMyAdmin Misconfiguration Code Injection impacting 42% of organizations.

 

September’s Top 3 ‘Most Exploited’ vulnerabilities:

  1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
  2. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
  3. ↑ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

 

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html