April 2019’s Most Wanted Malware: Cybercriminals up to Old ‘TrickBots’ Again

Check Point’s latest Global Threat Index sees banking trojan Trickbot return to top ten list after 2 year absence


In April 2019, banking trojan Trickbot re-appeared in the top ten most wanted malware list for the first time in almost two years. The multi-purpose trojan became April’s 8th most prevalent malware variant, returning with new capabilities, features and distribution vectors. Trickbot offers a high level of flexibility and customization, which enables it to be distributed as part of multi-purpose campaigns.


Trickbot was used in one such campaign in April that coincided with Tax Day in the USA. The spam campaign sent emails with Excel files attached, which downloaded Trickbot to victims’ computers. Once downloaded, Trickbot could spread inside the network and steal banking details and confidential tax documents for fraudulent use.


Although, cryptominers still occupied the top three positions in the index, the remaining seven malware types in April’s top ten were multi-purpose trojans, which is especially concerning given the fact that they may be used not only to steal private data and credentials, but also to populate other ransomwares (in fact, we’ve seen Emotet and Trickbot populate the Ryuk ransomware). As these malware constantly morph, enterprises must have a robust line of defense against them with advanced threat prevention.


March 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.


  1. ↑ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
  2. ↑ XMRig- Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  3. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  4. ↓ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  5. ↓ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  6. ↑ Ramnit- Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  7. ↑ Agentesla- AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  8. ↑ Trickbot- Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  9. ↑ Sality- Sality is a file infectors, enable to an infected systems to communicate over a peer-to-peer (P2P) network for spamming purposes, proxying of communications, compromising web servers, exfiltrating sensitive data, and coordinating distributed computing tasks to process intensive tasks.
  10. ↓ Lokibot- Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.


This month Triada is the most prevalent Mobile malware, replacing Hiddad at first place in the top mobile malware list. Lootor remains in second place, and Hiddad falls to third.


April’s Top 3 ‘Most Wanted’ Mobile Malware:


  1. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2.  Lotoor- Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  3.  Hiddad- Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.


Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. OpenSSL TLS DTLS Heartbeat Information Disclosure exploits is the most popular exploited vulnerability with a global impact of 44% of organization worldwide. For the first time after 12 months CVE-2017-7269 dropped from first place to the second, impacting 40% of organizations, followed by CVE-2017-5638 with a global impact of 38% of organizations around the world.


April’s Top 3 ‘Most Exploited’ vulnerabilities:


  1. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An 1. information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  2. ↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a 2. crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
  3. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code 3. execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.


Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/threat-preventionresources/index.html