New malware threats are emerging all the time. But while most threats are neutralised before getting widely distributed, a handful of malware manages to evade widespread detection and proceeds to spread like wildfire across the internet.
For businesses and consumers operating in 2019, it is generally the most widely distributed pieces of malware that pose the most significant threat.
The Center for Internet Security, a US non-profit organisation, maintains a list of the top 10 current malware threats, measured by the number of notifications received for each threat.
This list is constantly evolving to include the latest cybersecurity threats as old malware becomes ineffective. If you click on the link above you’ll find a current list of which malware threats are most dangerous.
Malware Top Ten
In time-honoured fashion, here in reverse order is the current Top Ten malware according to CIS.
Tying for last place, but by no means least is Emotet, probably the most successful and certainly one of the most persistent pieces of recent malware. It has been around since 2014 yet continues to appear in the CIS list. It’s currently tying for eighth position and accounting for 6% of all the notifications the CIS received in March 2019.
Emotet started as a banking trojan but has evolved to use a variety of attack vectors. It infects a computer via spam email (a malspam campaign) and recent campaigns have imitated PayPal receipts, shipping notifications or overdue invoices.
If an end-user opens the document attached to the email and has the macro feature of Microsoft Office enabled, Emotet downloads in the background. It will then attempt to spread to other PCs connected to the same network by taking advantage of vulnerabilities and weak passwords.
Once installed on a victim’s computer, Emotet gathers information on the system and a list of running processes. It then contacts a “command and control” server operated by the hackers to determine a suitable malware “payload” to download to the victim’s computer.
“First known for banking trojans, Emotet has now evolved and can drop crypto mining and ransomware payloads. That is what makes it really nasty,” says Tyler Moffitt, threat research analyst at cybersecurity firm Webroot.
Banking trojans dominate
Also with a 6% share and tying for eighth place with Emotet are Qakbot and Dridex, two banking trojans. Once installed on a victim’s PC, they monitor network traffic going to online banking sites. They then steal the user’s credentials by “keylogging” – recording the sequence of characters that the user enters on the keyboard when logging in to the banking site.
Moving up to seventh place is another banking trojan called Trickbot. Trickbot uses a man-in-the-browser attack method (i.e. it sits between the web browser and the computer’s security controls) to read or modify financial transaction made by the user. Due to the approach covert approach used, it can be very difficult for a user to identify Trickbot in operation.
Tying for fifth place is ZeuS, yet another banking trojan, and Coinminer. The latter is an example of the relatively new category of crypto-mining malware.
Once installed on a victim’s computer, it usurps the CPU to mine cryptocurrencies on behalf of the hacker. Due to the collapse in cryptocurrency valuations, a single computer that has been hijacked makes only 6-10 cents a day for the criminals, so as a get-rich strategy, crypto mining is only viable if many computers can be infected.
Just like biological viruses, malware continually evolves and morphs, complicating attempts to track and classify malware.
While banking trojan ZeuS figures high on the CIS list, since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its code. This means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
In fourth position on the CIS list sits NanoCore. This is a Remote Access Trojan (RAT) that can be easily downloaded via the internet. Typically spread via email and commonly embedded within an infected Excel attachment, NanoCore is relatively easy to use.
This makes it a popular option for novice threat actors. In addition, the “Nanocore community” continues to develop add-on modules that expand the possible attacks available to this malware.
On the malware podium
Runners-up in the CIS Top Ten are Kovter and Gh0st, which currently tie for second place with 14% of all notifications sent to the CIS.
Kovter has metamorphosed over the years to become ‘fileless’ malware, hiding in the Windows system registry which makes it more difficult to detect.
Gh0st is another RAT, first identified in 2016 and initially used for state-sponsored attacks against opponents to China’s ruling party, according to cybersecurity company Enigmasoft. Since then, it has been used on a much wider scale.
And the Winner is…
In first place on the CIS list, we have the notorious WannaCry, with a 19% share. WannaCry first rose to fame in May 2017, demanding ransom payments from hapless PC users who suddenly found that the data on their PC had been encrypted. The ransomware campaign was unprecedented in scale and Europol estimates around 200,000 computers were infected in 150 countries, including hospitals in the UK.
WannaCry is a ransomware “cryptoworm” that uses the EternalBlue security flaw to spread itself across PCs running unpatched versions of Windows. Ironically, the EternalBlue exploit was used by the US National Security Administration for surveillance operations before it was leaked by hackers.
Why is WannaCry still so prevalent? Windows 10 is immune from the EternalBlue weakness, but predecessors like Windows 7 are not. They remain in widespread use, particularly in businesses. Webroot says that 43% of its business customers are still using Windows 7 compared to 45% running Windows 10.
So while the spread of WannaCry has been stopped and there has not been a repeat of the first ransomware campaign, there are still many older unpatched computers infected with WannaCry.
According to Tyler Moffitt, Windows 10 is a much safer operating system and that has led to a steady decline over the past year in the number of malware files found on the computers that Webroot monitors.
That’s the good news. But the bad news is that while the amount of malware has declined, the malware is also getting smarter, making it more difficult to detect.