Threat research for May 2016 shows a continuing rise in the number of active
malware families attacking business networks; banking malware increases
Check Point㈢ published its latest Threat Index, revealing the number of active global malware families increased by 15 percent in May 2016.
Check Point detected 2,300 unique and active malware families attacking business networks in May. It was the second month running Check Point has observed an increase in the number of unique malware families, having previously reported a 50 percent increase from March to April. The continued rise in the number of active malware variants highlights the wide range of threats and scale of challenges security teams face in preventing an attack on their business critical information. Most notably:
- While Conficker remained the most commonly used malware in the period, banking malware Trojan Tinba became the second most prevalent form of infection last month, allowing hackers to steal victim’s credentials using web-injects, activated as users try to log-in to their banking website.
- Attacks against mobile devices also remained constant as Android malware HummingBad remained in the overall top 10 of malware attacks across all platforms globally during the period. Despite only being discovered by Check Point researchers in February, it has rapidly become commonly used; indicating hackers view Android mobile devices as weak spots in enterprise security and as potentially high reward targets.
“We continue to see a significant increase in the number of unique and active malware families targeting business networks, which speaks to the effort hackers are putting into creating new zero-day attacks and the scale of the challenge businesses face in securing their network against cyber criminals,” said Nathan Shuchami, head of threat prevention, Check Point. “Organizations need to consider using advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage to ensure they are effectively secured against the latest threats.”
In May, Conficker was the most prominent family accounting for 14 percent of recognized attacks; while second and third placed Tinba and Sality were responsible for 9 percent each. The top ten families were responsible for 60 percent of all recognized attacks.
- ￡ Conficker– Worm that allows remote operations, malware downloads, and credential theft by disabling Microsoft Windows systems security services. Infected machines are controlled by a botnet, which contacts its Command & Control server to receive instructions.
- ¤ Tinba– Also referred to as Tiny Banker or Zusy, Tinba is a banking trojan that steals the victim’s credentials using web injections. It becomes activated when users try to login to their banking website.
- ￠ Sality– Virus that infects Microsoft Windows systems to allow remote operations and downloads of additional malware. Due to its complexity and ability to adapt, Sality is widely considered to be one of the most formidable malware to date.
Mobile malware families continued to pose a significant threat to businesses mobile devices during May with six entries into the top 100 overall families. Most of these targeted Android, but in a continuation of the trend seen in April several targeted iOS. The top three mobile families were:
- ￡ HummingBad– Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a keylogger, stealing credentials and bypassing encrypted email containers used by enterprises.
- ￡ Iop– Android malware that installs applications and displays excessive advertising by using root access on the mobile device. The amount of ads and installed apps makes it difficult for the user to continue using the device as usual.
- ￡ XcodeGhost– A compromised version of the iOS developer platform Xcode. This unofficial version of Xcode was altered so that it injects malicious code into any app that was developed and compiled using it. The injected code sends app info to a Command & Control server, allowing the infected app to read the device clipboard.