A resurgence in exploit kits has security experts at Check Point urging vigilance to the broad spectrum of threats and attack vectors, even from those which seemingly faded.
According to the latest Global Threat Impact Index from the Check Point Threat Intelligence Research Team, even malware that seemed to have fallen into disuse can return to wreak havoc all over again. In particular, the researchers detected a spike in the use of exploit kits in March, after a fallow period for most of the past year.
Exploit kits are generally a type of hacking package disseminated via web servers that is able to detect vulnerabilities in software on devices connected to it and, once discovered, can exploit the flaws to launch malicious code to the victim machines. Available on the underground market, users need little knowledge of coding to put them to use.
The popular Angler exploit kit, used especially for malvertising campaigns, largely disappeared last June after the Necurs botnet was taken down. At that point, the use of exploit kits dropped as malware distributors, the Check Point team wrote.
But, the arrival of the Rig exploit kit in March changed the threat landscape. Rig soon gained prominence as the month's second most-used malware in the world. Additionally, though it didn't succeed in making Check Point's monthly top 10, also gaining prominence was the Terror Exploit Kit. These attacks are being used to deliver a number of threats, including ransomware, banking trojans, spambots and Bitcoin miners.
HackerDefender was at the top of Check Point's top 10 malware list for March, followed by Rig EK in second place. Each of these scourges affected five percent of enterprises across the globe, the researchers reported.
March 2017's Top 10 ‘Most Wanted' Malware were:
*The arrows relate to the change in rank compared to the previous month.
- ↑ HackerDefender – User-mode rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
- ↑ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
- ↓ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
- ↑ Zeus – Banking trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
- ↑ Pykspa – Worm that spreads itself by sending instant messages to contacts on Skype. It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).
- ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
- ↓ Hancitor – Downloader used to install malicious payloads (such as Banking Trojans and Ransomware) on infected machines. Also known as Chanitor, Hancitor is usually delivered as a macro enables Office document in Phishing emails with “important” messages such as voicemails, faxes or invoices.
- ↑ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
- ↑ Necurs – Botnet used to spread malware by spam emails, mainly ransomware and banking trojans.
In mobile malware, the top two families remained the same as in February, while Ztorg climbed back to the top three, the Check Point team found.
The Top 3 ‘Most Wanted' mobile malware in March were:
- Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
- Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
- Ztorg – Trojan that uses root privileges to download and install applications on the mobile phone without the user's knowledge.
"The wide range of threats seen during the past month utilize all available tactics in the infection chain to try and gain a foothold on enterprise networks," reported the Check Point Threat Intelligence Research Team. To thwart these wide-ranging attacks, the team advised organizations implement "advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage."
Exploit kit developers put significant investment into finding and exploiting new vulnerabilities that will help them successfully infiltrate the end-user's system, a spokesperson for the Check Point Threat Intelligence Research Team, told SC Media. "In this aspect, Rig and Terror do not offer any significant technical advantage over other exploit kits, but have managed to become the tool of choice, at least for now. The Exploit Kit landscape has gone through major changes in the past year, so there is no guarantee that they will maintain the lead in the months to come.”