March 2019's Most Wanted Malware: Coinhive Stops Digging, but Cryptomining Still Dominates

SAN CARLOS, Calif., April 09, 2019 (GLOBE NEWSWIRE) -- Check Point Research, the Threat Intelligence arm of (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for March 2019. The index reveals that while cryptomining services such as Coinhive have closed down, cryptominers are still the most prevalent malware aimed at organizations globally.

As announced last month, both Coinhive and Authedmine stopped their mining services on March 8th. For the first time since December 2017, Coinhive dropped from the top position but, despite having only operated for eight days in March, it was still the 6th most prevalent malware to affect organizations during the month. At its peak, Coinhive impacted 23% of organizations worldwide.

Many websites still contain the Coinhive JavaScript code today, though with no mining activity taking place. Check Point’s researchers warn that Coinhive may well reactivate if the value of Monero increases. Alternatively, other mining services may increase their activity to take advantage of Coinhive’s absence.

During March, three of the top five most prevalent malware were cryptominers – Cryptoloot, XMRig and JSEcoin. Cryptoloot headed the Threat Index for the first time, closely followed by Emotet, the modular trojan. Both had a global impact of 6%. XMRig is the third most popular malware impacting 5% of organizations worldwide.

Maya Horowitz, Threat Intelligence and Research Director at Check Point commented: “With cryptocurrencies’ values dropping overall since 2018, we will be seeing more cryptominers for browsers following Coinhive’s steps and ceasing operation. However, I suspect that cyber criminals will find ways to earn from more robust cryptomining activities, such as mining on Cloud environments, where the built-in auto-scaling feature allows the creation of a larger haul of cryptocurrency.  We have seen organizations being asked to pay hundreds of thousands of dollars to their Cloud vendors for the compute resources used illicitly by cryptominers. This is a call for action for organizations to secure their Cloud environments.”

March 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

1. ↑ Cryptoloot - Crypto-Miner that uses the victim’s CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
2. ↑ Emotet - Advanced, self-propagating and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
3. ↑ XMRig - Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017. 

This month Hiddad is the most prevalent Mobile malware, replacing Lotoor at first place in the top mobile malware list. Triada remains in third place.

March’s Top 3 ‘Most Wanted’ Mobile Malware:

1. Hiddad - Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
   
   
2. Lotoor - Hack tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.
   
   
3. Triada - Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 is still leading the top exploited vulnerabilities with a 44% global impact. Web Server Exposed Git Repository Information Disclosure is in second place, with OpenSSL TLS DTLS Heartbeat Information Disclosure in third, both impacting 40% of organizations worldwide.

March’s Top 3 ‘Most Exploited’ vulnerabilities:

1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability caused by improper validation of a long header in an HTTP request.
2. ↑ Web Server Exposed Git Repository Information Disclosure - An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

* The complete list of the top 10 malware families in March can be found on the Check Point Blog: 

Check Point’s Threat Prevention Resources are available at: 

Follow Check Point Research via:

Blog:

Twitter:

About Check Point Research

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. () is a leading provider of cyber security solutions to governments and corporate enterprises globally.  Its solutions protect customers from cyber-attacks with an industry leading catch rate of malware, ransomware and other types of attacks. Check Point offers a multilevel security architecture that defends enterprises’ cloud, network and  mobile device held information, plus the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.