SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Malware downloader on the rise in Check Point’s latest Threat Index
Wed, 16th Jan 2019
FYI, this story is more than a year old

Check Point has published its latest Global Threat Index for December 2018.

The index reveals that SmokeLoader, a second-stage downloader known to researchers since 2011, rose 11 places in December to enter the Index's top 10 at ninth place.

After a surge of activity in the Ukraine and Japan, its global impact grew by 20 places.

SmokeLoader is mainly used to load other malware, such as Trickbot Banker, AZORult Infostealer and Panda Banker.

Cryptomining malware continues to lead the Index, with Coinhive retaining its number one position for the 13th month in a row and impacting 12% of organisations worldwide.

XMRig was the second most prevalent malware with a global reach of 8%, closely followed by the JSEcoin miner in third with a global impact of 7%.

Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.

The report also showed banking Trojans rising up the index, with Ramnit, a banking Trojan that steals login credentials and other sensitive data, returned to the top 10 this month in eighth place.

Check Point threat intelligence and research group manager Maya Horowitz says, “December's report saw SmokeLoader appearing in the top 10 for the first time.

Its sudden surge in prevalence reinforces the growing trend towards damaging, multipurpose malware in the Global Threat Index, with the top 10 divided equally between cryptominers and malware that uses multiple methods to distribute numerous threats.

The diversity of the malware in the Index means that it is critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.

December 2018's Top 3 ‘Most Wanted' malware:

1.     Coinhive - Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's knowledge or approval. The implanted JavaScript uses a great deal of the computational resources of end users' machines to mine coins and may crash the system.

2.     XMRig- Open source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild on May 2017.    

3.     JSEcoin - JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

Triada, the modular backdoor for Android, has retained first place in the top mobile malware list.

Guerilla has climbed to second place, replacing Hiddad.

Meanwhile, Lotoor has replaced Android banking Trojan and info-stealer Lokibot in third place.

December's Top 3 ‘Most Wanted' Mobile Malware:

1.     Triada - Modular Backdoor for Android which grants superuser privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

2.    Guerilla - Android ad-clicker which has the ability to communicate with a remote command and control (C-C) server, download additional malicious plugins and perform aggressive ad-clicking without the consent or knowledge of the user.

3.    Lotoor - Hack tool that exploits vulnerabilities on Android operating systems in order to gain root privileges on compromised mobile devices.

Check Point researchers also analysed the most exploited cyber vulnerabilities.

Holding on to first place was CVE-2017-7269, whose global impact also rose slightly to 49%, compared to 47% in November.

In second place was OpenSSL TLS DTLS Heartbeat Information Disclosure, with a global impact of 42% closely followed by PHPMyAdmin Misconfiguration Code Injection with an impact of 41%.

December's Top 3 ‘Most Exploited' vulnerabilities:

1.     Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.

2.    OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

3.    Web servers PHPMyAdmin Misconfiguration Code Injection - A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.     

Check Point's Global Threat Impact Index and its ThreatCloud Map is powered by Check Point's ThreatCloud intelligence, a collaborative network fighting cybercrime which delivers threat data and attack trends from a global network of threat sensors.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.