February 2019’s Most Wanted Malware: Coinhive Quits While Still at the Top

By Check Point’s Threat Intelligence team, published March 11th


In February 2019, Coinhive led the global threat index for the 15th successive month, having announced that it will cease operation on the 8th March 2019 as it is no longer economically viable. Meanwhile, our researchers discovered several widespread campaigns distributing GandCrab in Japan, Germany, Canada and Australia, among several other targeted nations.


These operations emerged over the last two months, and one of the most recent campaigns has been associated with a new version of the GandCrab ransomware. The new version, GandCrab V5.2, includes most of the features of the last, but with a key change in encryption that renders the decryption tool for previous versions ineffective. As we saw in January, this demonstrates that threat actors continue to exploit distribution methods while creating new and more dangerous versions of existing malware forms.


GandCrab’s new version proves once again that although there are malware families that stay in the top malware list for several months and seems to be static, they actually keep trying to find new methods to evade security products detections. To effectively combat this, our researchers continuously trace them based on their malware family DNA.


Meanwhile, cryptominers continue to dominate the threat index despite their global impact decreasing gradually as the value of cryptocurrencies declines. The rising cost of mining along with the decline in the Monero Cryptocurrency value saw Coinhive’s value fall from 18% in October 2018 to 12% in January 2019, and to 10% this month. It is not yet clear whether the top position will be taken by another form of cryptomining malware, or another malware form entirely.


February 2019’s Top 10 ‘Most Wanted’:


*The arrows relate to the change in rank compared to the previous month.

  1. ↔ Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
  2.       ↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
  3.    ↑ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  4. ↓ XMRig– Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  5. ↓ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  6. ↑ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  7.    ↓ Nivdort –Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  8.    ↑ Gandcrab– Ransomware distributed via the RIG and GrandSoft Exploit Kits, as well as email spam. The ransomware is operated in an affiliates program, with those joining the program paying 30%-40% of the ransom revenues to the GandCrab author. In return, affiliates get a full-featured web panel and technical support.
  9.    ↑ Authedmine– A version of the infamous JavaScript miner CoinHive. Similarly to CoinHive, Authedmine is a web-based crypto miner used to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. However unlike CoinHive, Authedmine is designed to require the website user’s explicit consent before running the mining script.
  10. ↔ Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.


This month Lotoor is the most prevalent Mobile malware, replacing Hiddad at first place in the top mobile malware list. Triada remains in third place.


February’s Top 3 ‘Most Wanted’ Mobile Malware:

  1. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  2. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  3. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.


Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is still leading the top exploited vulnerabilities with 45%. OpenSSL TLS DTLS Heartbeat Information Disclosure is the second most prevalent vulnerability with a global impact of 40%, followed by Web servers PHPMyAdmin Misconfiguration Code Injection exploit, impacting 34% of organizations worldwide.


February’s Top 3 ‘Most Exploited’ vulnerabilities:

  1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
  2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  1. ↑ Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.


The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.


Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html