The preponderance of active malware families as well as the number of attacks increased by five percent in October, according to the Global Threat Index, a monthly ranking from Check Point's Threat Intelligence Research Team of the most prevalent malware families attacking enterprise networks.
Locky ransomware attacks moved up in the rankings from third to second as its activity continues to spike, while the notorious Zeus banking trojan, first detected in July 2007, returned to the top three. Locky's rise is attributed to constant tinkering of its code base and spam messaging, as well as its widespread dissemination through ever-increasing distribution networks.
Meanwhile, Conficker retained the top spot as the planet's most prevalent malware, responsible for 17 percent of recognized attacks. HummingBad, an Android malware that deploys a rootkit for a variety of nefarious deeds, retained its top spot in the mobile malware category.
“With the number of attacks and malware families increasing, the scale of the challenge organizations face in ensuring their networks remain secure is tremendous," Nathan Shuchami, head of threat prevention at Check Point, commented on the report. "The fact the top 10 malware remained virtually the same as September suggests that cybercriminals have enjoyed a considerable amount of success with these attack methods, signaling to organizations that they need to proactively respond to protect their critical business assets. It is particularly concerning that a malware family as established and well known as Conficker is so effective, suggesting that organizations aren't using the latest, multi-layered defenses.”
October's Top 10 'Most Wanted' Malware
↔ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
↑ Locky – Ransomware that started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as a Word or Zip file attachment, which then downloads and installs the malware that encrypts the user files.
↑ Zeus – Trojan that targets Windows platforms and often used to steal banking information by man-in-the-browser keystroke logging and form grabbing.
↔ Cutwail – Botnet mostly involved in sending spam emails, as well as some DDoS attacks. Once installed, the bots connect directly to the command and control server, and receive instructions about the emails they should send. After they are done with their task, the bots report back to the spammer exact statistics regarding their operation.
↓ Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
↑ Tinba – Banking trojan that steals the victim's credentials using web-injects and is activated when the users try to login to their bank's website.
↑ HackerDefender – User-mode rootkit for Windows that can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. As a result, it is not possible to find the hidden backdoor through traditional means.
↔ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomware to date. Cryptowall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertisingand phishing
↑ Parite – Virus that infects executable files (.exe and .scr) on the infected host and network drive. It drops a malicious DLL file into the Windows temporary directory, which is injected into the explorer.exe process when an infected file is executed.
↑ Virut – Botnet that is known to be used for cybercrime activities such as DDoS attacks, spam, fraud, data theft and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites).
– Check Point Threat Index
October's Top 3 'Most Wanted' Mobile Malware
Mobile malware families continued to pose a significant threat to businesses, with 15 of the top 200 malware families targeting mobile devices. The three most common mobile families were:
↔ HummingBad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications and enables additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
↔ Triada – Modular backdoor for Android that grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
↑ XcodeGhost – A compromised version of the iOS developer platform, Xcode. This unofficial version of Xcode was altered so that it injects malicious code into any app that was developed and compiled using it. The injected code sends app information to a Command & Control server, allowing the infected app to read the device clipboard.
– Check Point Threat Index