CheckPoint Top Malware April 2018

Crypto miners remain dominant in the latest instalment of CheckPoint’s global malware tracker having been consistently rated in the top 10 for several months. The persistent inclusion and furore surrounding crypto miners is questionable. Also evident in the monthly lists are the top three mobile malware threats and top three vulnerabilities.
The threats in these categories are not mutually exclusive as the top vulnerabilities, as rated by CheckPoint, are associated with the Crypto mining threat. In particular, the Microsoft Windows Server 2003 (CVE-2017-7269) and Oracle Web Logic (CVE-2017-10271) vulnerability. As noted in the report, 46% of organisations around the world were targeted using the Microsoft vulnerability, whilst the Oracle vulnerability was targeted 40% of the time.
The threat from these vulnerabilities is clear, but despite patches having been available for more than six months, many companies are evidently still susceptible to this threat vector.

Strategic assessment: The top 10 malware in April were:

• Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval.

• Cryptoloot – Crypto-Miner that uses the victim’s CPU or GPU power and existing resources to add transactions to the blockchain and release new currency.

• Roughted – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system and utilises ad-blocker bypassing and fingerprinting in order to ensure it delivers the most relevant attack.

• Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, the miner is run directly in the browser in exchange for ad-free browsing, in-game currency and other incentives.

• Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts and can be modified to create different types of botnets.

• Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to the dropping of additional malware.

• XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency and first seen in-the-wild on May 2017.

• Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system. The primary motivation being to steal sensitive information and launch denial-of-service attacks.

• Nivdort – Multipurpose bot, also known as Bayrob used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, making each file unique.

• Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

Interestingly, the more versatile and lethal malware is rated lower on the list than expected. This could reflect a lower infection rate than crypto miners. From a cybersecurity viewpoint, crypto mining is highly likely to pose less of a business threat compared to the more traditional malware listed. Infostealers, such as Andromeda, should be more of a concern to businesses, given the backdoor capabilities and use in cybercrime-as-a-service.

The top three mobile malware were:

• Lokibot – Android banking Trojan and info-stealer which can also turn into ransomware that locks the phone.

• Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware.

• Hiddad – Android malware which repackages legitimate apps and releases them to a third-party store.

The top three vulnerabilities were:

• Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service condition on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in the HTTP request.

• Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271) – A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles XML decodes. A successful attack could lead to a remote code execution.

• SQL Injection – Inserting an injection of SQL query in input from the client to the application, while exploiting a security vulnerability in an application’s software.

Necurs

The world’s largest botnet, Necurs seen to be using new evasion techniques

Target: Worldwide

Attack Vector: A 2 stage download from a remote server

Summary: The latest spam distribution campaign by the world’s largest botnet Necurs, sees a number of different evasion techniques implemented by the authors, the main being an evolved download method for the final malware payload. The malware now implements a 2 step download method for the new final payload.

Risk assessment summary: This threat is assessed at 3d MODERATE. With these new evasion techniques, the risk of infection is raised as anti-virus software are less likely to discover new and unknown variants of Necurs and any other malware it may be downloading.

The risk is also heightened as the malware the botnet drops is constantly changing, dependent on what the authors want to use the victims’ devices for.