Cyber-criminals are increasingly turning to cryptominers to develop illegal revenue streams, while ransomware and ‘malvertising’ adware continue to impact organizations worldwide, according to Check Point® Software Technologies Ltd.’s H2 2017 Global Threat Intelligence Trends report.
During the period July to December 2017, one in five organizations were impacted by cryptomining malware, tools that enable cybercriminals to hijack the victim’s CPU or GPU power and existing resources to mine cryptocurrency, using as much as 65% of the end-user’s CPU power.
Key malware trends in H2 2017
Check Point researchers detected a number of key malware trends during the period, including:
• Cryptocurrency Miners Frenzy – While crypto-miners are commonly used by individuals to mine their own coins, the rising public interest in virtual currencies has slowed the mining process, which depends directly on the number of currency holders. This slowdown has increased the computational power needed to mine crypto-coins, which led cybercriminals to think of new ways to harness the computation resources of an unsuspecting public.
• Decrease in Exploit Kits – Up until a year ago, Exploit Kits used to be a prime attack vector. During 2017 however, the use of Exploit Kits has significantly decreased as once exploited platforms have become more secure. The rapid response to new vulnerabilities exposed in these products by security vendors and leading browser developers, along with automatic updates of newer versions, have also significantly shortened the shelf life of new exploits.
• Increase in Scam Operations and Malspam – Throughout 2017, the ratio between infections based on HTTP and STMP shifted in favor of SMTP, from 55% in the first half of 2017 to 62% in the second. The increase in the popularity of these distribution methods attracted skilled threat actors who brought with them an advanced practice that included various exploitations of vulnerabilities in documents, especially in Microsoft Office.
• Mobile malware reaches enterprise level – In the last year, we have witnessed several attacks directed at enterprises originating from mobile devices. This includes mobile devices acting as a proxy, triggered by the MilkyDoor malware, andused to collect internal data from the enterprise network.. Another type is mobile malware, such as the Switcher malware, that attempts to attack network elements (e.g. routers) to redirect network traffic to a malicious server under the attacker’s control.
Maya Horowitz, Threat Intelligence Group Manager at Check Point commented: “The second half of 2017 has seen crypto-miners take the world by storm to become a favorite monetizing attack vector. While this is not an entirely new malware type, the increasing popularity and value of cryptocurrency has led to a significant increase in the distribution of crypto-mining malware. Also, there has been a continuation of trends, such as ransomware, that date back to 2016, which is still a leading attack vector, used for both global attacks and targeted attacks against specific organizations. 25% of the attacks we saw in this period exploit vulnerabilities discovered over a decade ago, and less than 20% use ones from the last couple of years. So it’s clear that there is still a lot that organizations need to do to fully protect themselves against attacks.”
Top Malware During H2 2017
1 Roughted (15.3%) – A purveyor of ad-blocker aware malvertising responsible for a range of scams, exploits, and malware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
2 Coinhive (8.3%) – A crypto-miner designed to perform online mining of the Monero cryptocurrency without the user’s approval when a user visits a web page. Coinhive only emerged in September 2017 but has hit 12% of organizations worldwide hit by it.
3 Locky (7.9%) – Ransomware that spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment, before installing malware that encrypts the user files.
Top Ransomware During H2 2017
1 Locky (30%) – Ransomware that spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment, before installing malware that encrypts the user files.
2 Globeimposter (26%) – Distributed by spam campaigns, malvertising and exploit kits. Upon encryption, the ransomware appends the .crypt extension to each encrypted file.
3 WannaCry (15%) – Ransomware that was spread in a large scale attack in May 2017, utilising a Windows SMB exploit called EternalBlue, in order to propagate within and between networks.
Top Mobile Malware During H2 2017
1 Hidad (55%) – Android malware which repackages legitimate apps and then releases them to a third-party store. It is able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
2 Triada (8%) – A Modular Backdoor for Android which grants superuser privileges to downloaded malware, as it helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3 Lotoor (8%) – A hacking tool that exploits vulnerabilities on the Android operating system in order to gain root privileges.
Top Banking Malware During H2 2017
1 Ramnit (34%) – A banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
2 Zeus (22%) – A Trojan that targets Windows platforms and often uses them to steal banking information by man-in-the-browser keystroke logging and form grabbing.
3 Tinba (16%) – A banking Trojan which steals the victim’s credentials using web-injects, activated as the user tries to login to their banking website.
The statistics in this report are based on data drawn from the Check Point’s ThreatCloud intelligence between July and December 2017. Check Point’s ThreatCloud intelligence is the largest collaborative network to fight cybercrime and delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.