Story image

Malware downloader on the rise in Check Point’s latest Threat Index

16 Jan 2019

Check Point has published its latest Global Threat Index for December 2018.

The index reveals that SmokeLoader, a second-stage downloader known to researchers since 2011, rose 11 places in December to enter the Index’s top 10 at ninth place.

After a surge of activity in the Ukraine and Japan, its global impact grew by 20 places. 

SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker.

Cryptomining malware continues to lead the Index, with Coinhive retaining its number one position for the 13th month in a row and impacting 12% of organisations worldwide.

XMRig was the second most prevalent malware with a global reach of 8%, closely followed by the JSEcoin miner in third with a global impact of 7%. 

Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.

The report also showed banking Trojans rising up the index, with Ramnit, a banking Trojan that steals login credentials and other sensitive data, returned to the top 10 this month in eighth place. 

Check Point threat intelligence and research group manager Maya Horowitz says, “December’s report saw SmokeLoader appearing in the top 10 for the first time.

Its sudden surge in prevalence reinforces the growing trend towards damaging, multipurpose malware in the Global Threat Index, with the top 10 divided equally between cryptominers and malware that uses multiple methods to distribute numerous threats. 

The diversity of the malware in the Index means that it is critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”

December 2018’s Top 3 ‘Most Wanted’ malware:

1.     Coinhive - Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's knowledge or approval. The implanted JavaScript uses a great deal of the computational resources of end users’ machines to mine coins and may crash the system.

2.     XMRig- Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild on May 2017.     

3.     JSEcoin - JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

Triada, the modular backdoor for Android, has retained first place in the top mobile malware list.

Guerilla has climbed to second place, replacing Hiddad.

Meanwhile, Lotoor has replaced Android banking Trojan and info-stealer Lokibot in third place.

December’s Top 3 ‘Most Wanted’ Mobile Malware:

1.     Triada - Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

2.    Guerilla - Android ad-clicker which has the ability to communicate with a remote command and control (C&C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

3.    Lotoor - Hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.

Check Point researchers also analysed the most exploited cyber vulnerabilities.

Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November.

In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%. 

December’s Top 3 ‘Most Exploited’ vulnerabilities:

1.     Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

2.    OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

3.    Web servers PHPMyAdmin Misconfiguration Code Injection - A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.      

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, a collaborative network fighting cybercrime which delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

The attack surface: 2019's biggest security threat
As businesses expand, so does their attack surface – and that may be the biggest cybersecurity risk of them all, according to Aon’s 2019 Cyber Security Risk Report.
Opinion: Cybersecurity as a service answer to urgent change
Alan Calder believes a CSaaS model can enable a company to build a cyber resilience strategy in a coherent and consistent manner.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.