December 2018’s Most Wanted Malware: Where there’s SmokeLoader, there’s Fire

Check Point’s researchers saw SmokeLoader rise to the top 10 ‘Most Wanted’ Malware list in December after a sudden boost in activity. Mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker, the second-stage downloader had been known to researchers since 2011, but entered the top 10 for the first time in December after a surge of activity from two campaigns – the first in the Ukraine and the second in Japan. It was previously announced that the malware, which includes mining, info stealing, email/ form grabbing and keylogging plugins, is sold exclusively to Russian speakers.


Despite an overall drop in value across all cryptocurrencies in 2018, cryptomining malware makes up half of all places in the top 10 list and fills the top 4 positions. Coinhive remains the most prevalent malware for the 13th consecutive month, impacting 12% of organizations worldwide.


The remaining positions have been filled by damaging, multi-purpose malware forms that use multiple methods to distribute a variety of threats. Emotet, an advanced Trojan used as a malware distributor jumped to 5th place, and Ramnit – a banking Trojan that steals login credentials and other sensitive data returned to the top 10 this month at 8th place.


December 2018’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval, and without sharing the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
  2. ↑ XMRig – Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  3. Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  4. Cryptoloot – Cryptominer, using the victim’s CPU or GPU power and existing resources for cryptomining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
  5. ↑ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  6. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  7. ↓ Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  8. ↑ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  9. ↑ Smokeloader – Second-stage downloader for windows which is used to download other malwares or other plugins. Smokeloader uses various anti-analysis tricks that is used for deception and self-protection. Smokeloader is commonly used to load a lot of known families, including the Trickbot trojan, Azorult infostealer and Panda banker.
  10. ↑ Authedmine – A version of the infamous JavaScript miner CoinHive. Similarly to CoinHive, Authedmine is a web-based crypto miner used to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. However unlike CoinHive Authedmine is designe to require the website user’s explicit consent before running the mining script.


Triada, the modular backdoor for Android has retained first place in the top mobile malware list. Geurilla has climbed to second place, replacing Hiddad. Meanwhile Lotoor has replaced Android banking Trojan and info-stealer Lokibot in third place.


December’s Top 3 ‘Most Wanted’ mobile malware:

  1. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Guerilla– Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.
  3. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.


Check Point researchers also analyzed the most exploited cyber vulnerabilities. Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November. In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%.


December’s Top 3 ‘Most Exploited’ vulnerabilities:

  1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
  2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  3. Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.


The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

Check Point’s Threat Prevention Resources are available at: