The Hancitor downloader has surged into the top five most wanted malware families worldwide for the first time, according to Check Point.
The downloader, that installs malicious payloads such as banking trojans and ransomware on infected devices, climbed 22 places after more than tripling its global impact in the past month. Hancitor, also known as Chanitor, is usually delivered as a macro-enabled Office document in phishing emails with “important” messages such as voicemails, faxes or invoices.
Kelihos, a botnet used in bitcoin theft, is the most prevalent malware family overall, with 12% of organizations globally impacted by it. Having been active since 2010, the resilient Kelihos has evolved from a ‘pump and dump’ spam campaign into a botnet-for-hire, sending spam for anyone willing to pay. Despite being taken down in 2011 and again a year later, it has continued to resurface, culminating in the botnet and growing by more than three times in just two days last August.
Today, Kelihos continues to grow as one of the most prominent distributors of spam in the world, with over 300,000 infected machines, each capable of sending more than 200,000 emails a day.
Top malware families
Overall, the top 3 malware families revealed that hackers were using a wide range of attack vectors and tactics to target businesses. These threats impact all steps of the infection chain, including spam emails which are spread by botnets, and contain downloaders that place ransomware or a Trojan on the victim’s machine.
The UK was also the 38th most attacked country globally (up from 53rd in January), higher than the US (90th), Germany (67th) and France (67th). The top three most common malware in February were Kelihos in first, impacting 12% of organizations, followed by HackerDefender, impacting 5% and Cryptowall which affected 4.5% of businesses globally.
Most wanted malware
Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server.
HackerDefender – User-mode rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
In mobile malware, Hiddad moved up from third in January to become the most active variant, followed by Hummingbad and last month’s leader Triada in second and third place, respectively.
Most wanted mobile malware
Hiddad – Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
Triada – Modular backdoor for Android, which grants super-user privileges to download malware and helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.