Nastiest Malware 2018

  • 24 October 2018
  • 5 replies

Userlevel 7
Badge +36

Webroot ranked the nastiest threatS of 2018 just in time for Halloween! Read on to discover the top three malware/payloads impacting users this year, plus the three main attack vectors used to deliver them.



Nastiest Malware/Payloads


  • Botnets
    • Emotet
    • Trickbot
    • Zeus Panda


  • Crypto
    • GhostMiner
    • WannaMine
    • Coinhive
  • Ransomware
    Cast Your Vote
          Vote for the nastiest malware of 2018, and earn an exclusive badge!
    Malware Live Q&A
          Join us and our expert Threat team at 10am MT on November 19th for a Live Q&A. Consider this your chance to ask any question you want about the in's and out's of ZeusPanda, SamSam, or any other on our list of Nastiest Malware. 
    Scavenger Hunt
         We put together a scavenger hunt throughout the Nastiest Malware posts, and if you can decipher the message, you'll earn a unique badge to prove it. Good luck!

    Botnets and Banking Trojans

Three Nastiest:
Botnets and banking Trojans are the most commonly seen type of malware, and Emotet takes the prize as this year’s nastiest botnet delivering banking Trojans we’ve seen. Its information stealing payloads are delivered at an impressive pace, suggesting threat actors have automated multiple steps in their campaign operations.
Emotet, in particular, aspires to increase the number of zombies in its spam botnet, with a concentration on credential-gatheRing. It is so popular and effective, several major malware campaigns have leveraged Emotet as a delivery vector. Those behind Emotet now have the option to create additional layers within their botnet, ultimately increasing its resiliency. They recently developed a UPnP (Universal Plug and Play) module that allows Emotet to turn victims’ routers into potential proxy nodes for their command-and-control infrastructure. Most residential routers are based on Linux (without the benefit of antivirus protection) , and are viewed by their owners as black boxes, so proper setup is not a priority. They are unlikely to notice, therefore, when a criminal exploits convenient UPnP to plug IoT devices into their router. Zeus Panda (Panda Banker) remains prevalent and, in the last few months, has begun to target more geographic regions than previously. Across the board, threat actors have made changes to internal protection mechanisms to ensure their payloads remain difficult to reverse-engineer and detecT.


Three Nastiest:
Many criminals have moved on to easier, faster, and less-risky ways of netting cryptocurrency from victims, without using payloads as infamous as ransomware. Criminals are using any and all available attack vectors to target victims and leverage their hardware and power to mine a wide range of cryptocurrencies with cryptominer payloads. When criminals are deciding what malware payload to deliver to a system, they will analyze all hardware installed in search of substantial CPU and GPU availability. When it’s detected, they can mine multiple cryptocurrencies using the hardware including Monero, Ethereum, Zchash, etc. This leads to instantaneous profitability without payment action from the victim (like ransomware) and can go by unnoticed indefinitely. We are seeing criminals drop cryptominer payloads from botnets, exploit kits, and compromised RDP. 
Criminals can also mine cryptocurrency without ever delivering malware payloads to victims’ systems. This new trend, called “cryptojacking,” has been gaining momentum since CoinHive first debuted its mining JavaScript in September 2017. It works by hacking a user’s CPU to mine the cryptocurrency Monero for the site owner any time that user visits a site on which the script is running. This isn’t money out of thin air, though. Users are still on the hook for the cost of their CPU usage, which shows up in their electric bill. While it may not be a noticeable amount on any single bill, the cryptocurrency adds up fast for site owners with lots of visitors. 
CoinHive’s websitE claims this is an ad-free way for website owners to generate enough income to pay for the servers. Altruistic arguments aside, it’s clear threat actors are abusing the tactic at victims’ expense. Since CoinHive receives a 30 percent cut of all mining profits, they’re likely not too concerned with how their scripts are being used (or abused). With CryptoJacking, all a criminal need do is inject a few lines of code into a domain they don’t own, then wait for victims to visit that webpage while they sit back and collect the mining profits. We've seen over 12 million blocks on cryptojacking websites in just the first half of this year. Profitability combined with a minimal illegal footprint make CryptoMining and Cryptojacking a top method of attack for cybercriminals.


  • Crysis/Dharma
  • GandCrab
  • SamSam
  • EMotet was one of the first botnets to spread banking Trojans laterally within the infected network, making it difficult to remove.
  • Trickbot followed suit, but contains additional modules (and counting) and has even been seen dropping ransomware. Just imagine all of the machines in your network being encrypted all at once. Yeesh.
  • Zeus Panda has similar functionality to Trickbot, but most interesting compared to Emotet And Trickbot are its distribution methods, from macro-enabled Word documents to exploit kits and even compromised RMMs.
  • GhostMiner’s distribution method was the scariest part for its victims, who were unaware of its entry point. Imagine one of those scary movies where you know someone’s in the house, but you don’t know where. That’s GhostMiner. Most commonly, it has been distributed via an exploit in Oracle WebLogic (CVE-2018-2628).
  • WannaMine’s Windows Management Instrumentation (WMI) persistence technique was extremely nasty, allowing it to remain stealthy and difficult to locate and remove.
  • Coinhive, initially innocuous, was quickly added to the standard toolkit for attackers looking to compromise websites. Even legitimate website owners have been using it without knowing the how it would affect visitors. If, just by visiting a website, your browser causes your CPU to spike to 100 percent, the perpetrator might be Coinhive.



Three Nastiest:
Ransomware needs no introduction. Its wreaked havoc on users since its inception five years ago. While Ransomware was the dominant threat for the past couple of years, making worldwide headlines and causing billions of dollars in damage, it has taken a backseat to cryptomining attacks in 2018. While we have seen a decline in ransomware payloads, though, ransomware has by no means disappeared. Instead, its become a more targeted business model for cybercriminals, with unsecured Remote Desktop Protocol (RDP) connections emerging as the focal point of weakness within organizations and a favorite port of entry for ransomware campaigns. 
Top 3 Attack Vectors 
Webroot thrEat researchers added it up and can blame nearly every threat, attack, or infection this year on these three attack vectors.
Unsecured RDP

Remote Desktop PRotocol (RDP) is one of the most useful tools in computing, and one that most people take for granted. While it's convenient to be able to access a machine remotely, the security pitfalls introduced by this convenience are significant for organizations. Think of unsecured RDP like the Thermal Exhaust Point on the Death Star—a security gap that can quickly lead to catastrophe when properly exploited.
Organizations are inadequately Setting up their RDP, leaving their environment wide open for criminals to penetrate with brute force tools. Cybercriminals can easily find and target these organizations by scanning for open RPD connections using engines like the publicly-available Shodan search engine. Even lesser-skilled criminals can simply buy RDP access to already-hacked machines on the dark web. Then, once a criminal has desktop access to a corporate computer or sErver, it’s essentially game over from a security standpoint. The attacker can disable endpoint protection or leverage exploits to verify that their malicious payloads will execute.
There are a variety of payload options available to the criminal to extract profit from the victim as well. Ransomware is the most obvious choice, since it’s backed by a proven business model and allows for “casing the joint” by browsing all data on system or shared drives to determine how valuable it is and how much of a ransom can be charged. Cryptominers are now another payload option criminals are using via the RDP attack vector.  
Poor cybersecurity education is the underlying issue enabling the RDP attack vector. Too many IT departments are leaving default ports open, maintaining lax password policies, or not training employees how to avoid phishing attacks that could compromise system credentials. Security awareness education is paramount since employees are often the weakest link in the security chain, but they can also be trained as a powerful defense against Cybercrime. 
Phishing has long been a major threat in the cybersecurity landscape and that likely won’t change anytime soon. Criminals know the weakest link in data security is the human, so we're not surprised to see targeted social engineering attacks on the rise. Webroot saw phishing attempts increase by more than 60 percent from January to June. Phishing continues to be an effective method of breaking into corporate networks. All it takes is for one person to take the bait, and a threat actor can easily obtain credentials and perpetrate a wide array of attacks ranging from identity theft to an RDP attack.
Cybercriminals continue to shift and fine-tune their targets as they learn which attacks are the most successful and lucrative. While Google has been a primary target for the past three years, Dropbox (impersonated in 17 percent of the attacks) overtook Google (15 percent) in the first half of 2018. When a threat actor breaks into someone’s Gmail account, the potential reward may be limited to just one person’s data. However, with Dropbox, the reward could be much greater: consumer and business users store tax, financial, personal and business information in Dropbox. The increasing prevalence of corporate Dropbox accounts makes the potential payoff even greater. Gaining access to a corporate Dropbox account could expose massive amounts of mission-critical and highly-sensitive data or even crypto keys.
Again, education is key in preventing phishing attacks, since these are user-centric attacks. Simulated phishing campaigns within an organization can help raise awareness and expose weak links, which can then be specifically targeted for additional training.
Exploits are not a new technique by any means. However, they have recently become a more popular distribution method for malware. Without much work, attackers have been weaponizing proof of concepts (POCs) for exploits that easily deploy malware to vulnerable machines. WannaCry was one of the larger infections that incorporated Server Message Block (SMB) exploits to essentially spread automatically once released. SamSam ransomware, which has earned a reputation for attacks such as the recent one against the City of Atlanta via RDP, originally was spread via a JBoss exploit. The JBoss vulnerability was bad enough that the FBI visited businesses and schools providing information on protecting against It.
More recently, we have seen exploits against Oracles WebLogic software (and others) that allowed remote code execution using Java deserialization. Through that exploit we mainly saw PowerShell cryptocurrency miners being deployed, which sometimes included a backdoor. This was done using reflective PE injection that allowed the infection to remain fairly stealthy. Oracle had patched this vulnerability and shortly after a workaround was uncovered. Other exploits, like ones against IIS and MSSQL, made appearances as well. Ultimately out-of-date and unpatched operating systems/software have been the biggest downfall for victims of these exploits. 

  • The Crysis/Dharma family of ransomware goes hand in hand with the term “compromised RDP.” It has been evolving to remain one of the top dogs of the RaaS (Ransomware-as-a-Service) world, specifically targeting the RDP vector. System administrators consistently return to work after a weekend to find one or more of their machines encrypted, usually without knowing the source.
  • GandCrab is another especially nasty RaaS distributed via malspam campaigns, exploit kits, and RDP. Interestingly, it uses the .bit TLD (Top Level Domain), not sanctioned by ICANN, providing additional secrecy.
  • SamSam, initially distributed via a JBoss exploit, soon turned to RDP as well. It’s now bringing down entire cities (or portions of them, at least). You’ve likely seen these attacks in the news after taking down the city of Atlanta or Colorado’s TranspoRtation Department.

5 replies

Userlevel 7
Badge +54
Thank you Lara. I have just found this on an external news source and posted it in the Security News.
Userlevel 7
Badge +63
Thanks Lara!
Userlevel 7
Interesting post, Thanks Lara. :D
Userlevel 7
Badge +36
@ wrote:
Thank you Lara. I have just found this on an external news source and posted it in the Security News.
Oh wow, they picked it up quick. Thanks for finding that, always nice to see when Webroot's perspective is shared in multiple channels. 🙂
Great article. :D
I got "SMARTERERSECII" out of this. Don't know if that's what we're looking for or not...