Check Point Announces Top 10 Most Popular Malware in March 2018

In the newly released Global Malware Threat Impact Index report, Check Point, a network security company, pointed out that the number of cyberattacks against cryptocurrencies has surged throughout March. Among them, more and more cybercriminals have begun to use the modified XMRig mining program to carry out malicious mining activities.

XMRig was originally a legitimate open-source mining program with multiple updated versions that support 32-bit and 64-bit Windows and Linux operating systems. However, based on its open source nature, several malicious versions have been used by cybercriminals in the past few months to install in the victim’s system without permission to gain illegal profits.

On the other hand, XMRig’s mining behavior exploits the CPU resources of the computer itself and does not involve any web browser interactions. In other words, cybercriminals can use malware developed based on the XMRig mining program to mine money without the victim opening any web pages.

In addition to slowing down the speed of computers or servers, malicious software developed based on XMRig infects a device and starts looking for other devices on the same network to complete self-replication. This can cause serious security threats to victims.

After appearing for the first time in May 2017, XMRig is constantly being revised and updated by cybercriminals, and finally entered Check Point’s list of the top ten most popular malware programs in the world (ranked eighth, affecting 5% of the global organization).

Due to the impact of 18% of the global organization, Coinhive, which also mines malware for cryptocurrencies, has remained at the top spot for the fourth consecutive month. In second place is the exploit tool Rig ek (affects 17%), while another cryptocurrency mining malware, Cryptoloot, came in third (affecting 15%).

Top 10 Most Popular Malware in March 2018

*The arrows relate to the change in rank compared to the previous month.

1. ↔ Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. ↑ Rig ek – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit
3. ↓ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking less percents of revenue from websites.
4. ↑ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
5. ↓ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives
6. ↔ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
7. ↑ Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
8. ↑ XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
9. ↓ Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
10. ↑ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.

 March’s Top 3 ‘Most Wanted’ mobile malware:

1. Lokibot –  Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone.
2. Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware.
3. Hiddad– Android malware which repackages legitimate apps then releases them to a third-party store.

The three most popular security vulnerabilities in March 2018

Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-10271), global impact rate of 26% – It resides in Oracle WebLogic’s WLS component, derived from Oracle WebLogic’s incorrect approach to processing xml decoding, successful use May cause remote code execution.

SQL injection vulnerabilities, global impact rate of 19% – Injecting SQL queries into the input from the client to the application, taking advantage of the specificity of the database to gain more information or more permissions.

Microsoft Windows HTTP.sys Remote Code Execution Vulnerability (MS15-034: CVE-2015-1635), Global Impact Rate is 12% – Vulnerability is caused by HTTP.sys handling malicious HTTP headers in a wrong way. Successful exploitation will result in Remote Code Execution.