Kelihos becomes January’s Top 10 ‘Most Wanted’ Malware

Pierluigi Paganini February 11, 2017

The infamous Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.

Which are the most active malware in the wild?

According to a research conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.

The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.

With great surprise, the eight-year-old malware Conficker continues to be one of the most active malware families in 2016.

In June 2016, researchers at CheckPoint described Conficker as “the most prominent family accounting for 14 percent of recognized attacks.” We remind the Conficker resurrection in 2015, when samples of the malware infected police body cameras.

Below the January’s Top 10 ‘Most Wanted’ Malware published by CheckPoint Security

  1. Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server
  2. HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  4. Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  5. Nemucod – JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads.
  6. RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
  7. Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  8. Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  9. Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  10. Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.

Recently the Kelihos malware was observed spreading via infected thumb drives. The third Most Wanted malware in January was CryptoWall, a well-known ransomware, the remaining positions in the Top 10 list are occupied by other botnets mainly involved in the distribution of the dreaded Locky ransomware.

Checkpoint observed also chenges in the mobile threat landscape, the Android Triada modular backdoor remains the most advanced mobile malware on the Top 3 Most Wanted mobile threats. At the second place, there is the HummingBad, CERT-EU and other sources corroborated Check Point researchers’ findings which recently confirmed a new variant of the ad-fraud-big-money-making, HummingBad, is spreading rapidly on the Android marketplace Google Play.

HummingBad was first seen and released almost a year ago in January/February 2016 by malware authors Yingmob, and racking upwards of approx. $300,000 USD per month for the better half of 2016.  Approximately 10 million Android devices were infected in the firm part of the last year.

Now, dubbed by Check Point, “HummingWhale” is at large with better ad fraud capabilities and sophisticated techniques than HummingBad affecting several applications and has been downloaded several million times from the combined list of applications downloaded.

Kelihos botnet

The third mobile malware threat is Hiddad, a strain of Android malware that repackages legitimate apps and then releases them to a third-party store.

Below the Top 3 ‘Most Wanted’ mobile malware:

  1. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  3. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Kelihos , mobile malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment