Story image

No need for a browser - XMRig cryptomining malware enters top 10 most wanted malware list

16 Apr 2018

Check Point’s March 2018 Most Wanted Malware suggests that cryptomining malware is moving away from browser-based mining sessions and targeting the endpoint – or at least the XMRig malware is doing so.

In March this year there were a surge of cryptomining malware attacks – most notably the XMRig malware which landed eighth place on the list last month.

XMRig has been in the wild since May 2017 and landed a top 10 spot after a 70% increase in global impact. It affected 5% of organizations in March.

The malware doesn’t need an active web browser session on a targeted computer; instead it uses the computer itself to mine Monero cryptocurrency.

“Cryptomining malware has been quite the success story for cybercriminals, and XMRig’s rise indicates that they are actively invested in modifying and improving their methods in order to stay ahead of the curve,” comments Check Point threat intelligence group manager Maya Horowitz. 

“Besides slowing down PCs and servers, cryptomining malware can spread laterally once inside the network, posing a major security threat to its victims. It is therefore critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families and brand new threats.”

The Coinhive cryptominer took the top spot as the top most wanted malware in March. It mines the Monero cryptocurrency and targeted 18% of organizations. Rig EK placed second, targeting 17% of organizations; and Cryptoloot miner was third, targeting 15% of organizations.

March’s 2018’s Top 3 ‘Most Wanted’ Malware:

1.       Coinhive – Crypto-Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user's knowledge or approval

2.       Rig EK - Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer.

3.       Cryptoloot - Crypto-Miner that uses the victim’s CPU or GPU power and existing resources to add transactions to the blockchain and releasing new currency.

Lokibot, an Android banking Trojan which grants super user privileges to download malware, was the most popular malware used to attack organizations’ mobile estates followed by the Triada and Hiddad.

March’s Top 3 ‘Most Wanted’ mobile malware:

1.    Lokibot - Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone.

2.    Triada - Modular Backdoor for Android which grants superuser privileges to downloaded malware.

3.    Hiddad- Android malware which repackages legitimate apps then releases them to a third-party store.

Check Point researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-10271 came first with a global impact of 26%, in second place was the SQL injection vulnerability impacting 19%, and in third place was CVE-2015-1635 with a global impact of 12% of organizations.

March’s Top 3 ‘Most Wanted’ vulnerabilities:

1.       Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)- A remote code execution vulnerability exists within Oracle WebLogic WLS. This is due to the way Oracle WebLogic handles xml decodes. A successful attack could lead to a remote code execution.

2.       SQL Injection- Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application's software.

3.       Microsoft Windows HTTP.sys Remote Code Execution (MS15-034: CVE-2015-1635)- A remote code execution vulnerability has been reported in Windows OS. The vulnerability is due to an error in the way HTTP.sys handles a malicious HTTP header. Successful exploitation would result in a remote code execution.

Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.
Tech Data to distribute Nutanix backup solution in A/NZ
Tech Data will distribute HYCU Data Protection for Nutanix backup and recovery software to their network of partners across Australia and New Zealand.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.