Bitdefender Ranks The Top 10 Malware Threats of 2017

Reading time: 7 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Recent months have seen a dramatic reshaping of the cyber security threat landscape, according to the “Global Threat Landscape Report—2017,” by Bitdefender.

More traditional threats such as generic Trojans, ransomware attacks, and spam bots have been complemented in a big way by data destructors. Powered by military-grade code allegedly leaked from the U.S. National Security Administration (NSA), both WannaCry and GoldenEye wrought havoc throughout the second and third quarters of 2017, shutting down businesses and causing unprecedented operating losses, the report said.

Novel lateral movement vectors have complemented zero-day exploits such as EternalBlue and EternalRomance to take over the enterprise space, the study noted. Other significant trends in 2017 were the increased focus on freeware or open-source tools stitched together by custom-built code to weaponize them to support the attacker’s agenda.

Targeted attacks are reshaping the corporate and government security landscape and causing fallout in the consumer space as well, as commercial cyber criminals rush to adopt leaked exploits and advanced lateral movement technologies into their own payloads.

Bitdefender is constantly monitoring its global network of more than 500 million sensors for emerging threats or low-key cyber attacks that try to fly under the radar of security products. The aggregated data allows the company to paint an accurate picture of what’s going on in the security landscape and help it develop new mitigations for the upcoming generation of cyber threats.

Among the key findings of the report is that Bitdefender telemetry shows ransomware is still the most frequently encountered threat. During 2017, the number of new major ransomware families exceeded 160, with dozens or even hundreds of variations per family.

The most prolific ransomware strain is Troldesh/Crysis, with hundreds of sub-variants reported to date. GlobeImposter, another extremely prolific ransomware family, is head-to-head with Troldesh in the number of released sub-variants. The commercial malware ecosystem is intensely focused on developing and planting ransomware.

The Bitdefender data shows that one in six spam e-mail messages comes bundled with some form of ransomware (for example, a link to drive-by download sites, attachments rigged with ransomware or even JavaScript/VBS downloaders for ransomware).

Ransomware that’s specifically aimed at companies has become more common. Since the re-emergence of the Troldesh ransomware family, companies have faced extremely targeted attacks that abuse the Remote Desktop Protocol to connect to infrastructure, then manually infect computers. Threats such as Troldesh and GlobeImposter have lateral movement tools to infect an organization and log clean-up mechanisms to cover their tracks.

Bitdefender’s threat intelligence shows the United States is still the number one destination for cyber crime. The U.S. ranks first in the number of malicious incidents detected throughout 2017, with 19% of incidents detected by the Bitdefender sensors.

The report ranks the top 10 malware threats worldwide in 2017. First on the list is illicit Bitcoin miners, which accounted for more than 1.05% of all infections detected worldwide. Application.BitdcoinMiner is representative of this category and consists of a legitimate miner configured to hijack mining efforts to various wallets, the report said. The application, along with its configuration file, is surreptitiously planted on victims’ computers.

Second, JS:Trojan.Cryxos, is another interesting entry in the threat report, Bitdefender said. This detection deals with JavaScript code appended to hacked Web sites to display alarming popups. These Trojans are part of “call support” or “tech support” scams, where compromised Web sites also display a support number hosting cyber-criminals who offer assistance for a fee. Cumulatively, the Cryxos Trojan accounts for 1.39% of all malware reports.

Ranking third in 2017 malware is an older threat called Trojan.LNK. This detection deals with multiple families of malware that use maliciously modified shortcut files with a .LNK extension that are designed to trick users into mistakenly launching a malicious file.

Next most common is the Downadup worm, which is still active on unpatched computers. For nearly 10 years the Downadup worm has been a constant presence in the top threats, beginning with its emergence in 2008. It continues to spread and create scheduled tasks on infected computers.

Fifth and sixth places are held by the JS:AdwareJS.Agent and JS:TrojanJS.Agent families, two large categories of Trojans used for various purposes. Ranking seventh, JS.TeslaCrypt4 is a generic downloader that brings the TeslaCrypt executable to a victim’s computer. This threat comes bundled via email and acts as a first-stage downloader that fetches and executes TeslaCrypt’s current payload.

Trojan.Rajbot ranks eighth in the malware top 10 for 2017. This multi-functional malware is written in Node.JS, and comes with its own JavaScript interpreter that allows it to execute outside of a browser and features a plug-and-play architecture that allows its reuse in various scenarios.

In ninth place is Report Trojan.AutorunInf. Even though its spreading mechanisms no longer work on modern operating systems, malicious Autorun files are still detected on removable media that have made contact with infected computers running Windows XP.

Win32.Sality ranks tenth in the list of most frequently encountered threats. This polymorphic file infector has been around for years, the report said, and it infects executable files on local or removable storage media and joins the infected computer to a peer-to-peer network of compromised machines, where it awaits further instructions.