Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. has published its latest Global Threat Index for March 2019. The index reveals that while cryptomining services such as Coinhive have closed down, cryptominers are still the most prevalent malware aimed at organizations globally.
As announced last month, both Coinhive and Authedmine stopped their mining services on March 8th. For the first time since December 2017, Coinhive dropped from the top position but, despite having only operated for eight days in March, it was still the 6th most prevalent malware to affect organizations during the month. At its peak, Coinhive impacted 23% of organizations worldwide.
Many websites still contain the Coinhive JavaScript code today, though with no mining activity taking place. Check Point's researchers warn that Coinhive may well reactivate if the value of Monero increases. Alternatively, other mining services may increase their activity to take advantage of Coinhive's absence.
During March, three of the top five most prevalent malware were cryptominers – Cryptoloot, XMRig and JSEcoin. Cryptoloot headed the Threat Index for the first time, closely followed by Emotet, the modular trojan. Both had a global impact of 6%. XMRig is the third most popular malware impacting 5% of organizations worldwide.
Maya Horowitz, Threat Intelligence and Research Director at Check Point commented: "With cryptocurrencies' values dropping overall since 2018, we will be seeing more cryptominers for browsers following Coinhive's steps and ceasing operation. However, I suspect that cyber criminals will find ways to earn from more robust cryptomining activities, such as mining on Cloud environments, where the built-in auto-scaling feature allows the creation of a larger haul of cryptocurrency. We have seen organizations being asked to pay hundreds of thousands of dollars to their Cloud vendors for the compute resources used illicitly by cryptominers. This is a call for action for organizations to secure their Cloud environments."
March 2019's Top 3 'Most Wanted' Malware:
*The arrows relate to the change in rank compared to the previous month.
This month Hiddad is the most prevalent Mobile malware, replacing Lotoor at first place in the top mobile malware list. Triada remains in third place.
March's Top 3 'Most Wanted' Mobile Malware:
Check Point's researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is still leading the top exploited vulnerabilities with a 44% global impact. Web Server Exposed Git Repository Information Disclosure and is in second place, with OpenSSL TLS DTLS Heartbeat Information Disclosure in third, both impacting 40% of organizations worldwide.
March's Top 3 'Most Exploited' vulnerabilities:
Check Point's Global Threat Impact Index and its ThreatCloud Map is powered by Check Point's ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.
The below table also gives you an understanding on how India is faring in terms of malware attacks as compared to global counterparts
Find top 10 per country | |||
Malware_Family_Name | Description | Global Impact | INDIA Impact |
XMRig | XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017. | 7.68% | 22.64% |
Coinhive | Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's approval. The implanted JS uses great computational resources of the end users machines to mine coins, thus impacting its performance. | 11.59% | 21.40% |
Dorkbot | IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system, with the primary motivation being to steal sensitive information and launch denial-of-service attacks. | 3.75% | 12.04% |
Jsecoin | JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives. | 5.57% | 11.52% |
Cryptoloot | cryptominer malware, using the victim's CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive. | 6.23% | 10.03% |
Emotet | Advanced, self-propagating and modular Trojan. Emotet used to operate as a banking Trojan, and has evolved to be used as a distributer of other malware or malicious campaigns. It uses multiple methods and evasion techniques for maintaining persistence and avoiding detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links. | 5.14% | 7.75% |
Virut | Virut is one of the major botnets and malware distributors in the Internet. It is used in DDoS attacks, spam distribution, data theft and fraud. The malware is spread through executables originating from infected devices. | 1.71% | 7.55% |
Ramnit | Ramnit is a worm that infects and spreads mostly through removable drives and files uploaded to public FTP services. The malware creates a copy of itself to infect removable and permanent drivers. The malware also functions as a backdoor. | 2.57% | 7.24% |
Nitol | Nitol is a Bot agent that targets the Windows platform. This malware collects basic system information and sends it to a remote server. An attacker can instruct the remote server to respond with commands primarily designed to carry out DoS attacks | 1.05% | 7.13% |
Fireball | Fireball is an adware vastly distributed by the Chinese digital marketing company Rafotech. It acts as a browser-hijacker which changes the default search engine and installs tracking pixels, but can be turned into a full-functioning malware downloader. |