OTX Trends Part 2: Malware

January 23, 2018  |  Chris Doman

By Javvad Malik and Christopher Doman

This is the second of a three part series on trends identified by AlienVault.

Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors.

Which malware should I be most concerned about?

Most security incidents that a security team will respond to involve malware. We took a look at three sources of malware telemetry to help prioritise popular malware families:

  • Malware families AlienVault customers detect the most;
  • Which malware domains are observed the most frequently by Cisco’s Umbrella DNS; and
  • Malware families with the highest number of individual samples

Which malware families do our customers detect the most?

The following table describes the malware that we detected most frequently on our customers networks:

OTX malware rankings shows interesting trends

This table represents malware detected by AlienVault as it communicates across a network, in 2017. This data is biased towards families that we have named network detections for. That means this table is a good representation of malware that is actively running on networks, though it’s important to also review other statistics on malware that has been blocked from running.

The #1 ranked malware, njRat, is particularly popular in the Middle East. It’s a fairly simple .NET backdoor and Youtube is full of videos of how amateur users can deploy it. We often see it packed with a seemingly endless supply of custom packers to evade anti-virus. Whilst the vast bulk of njRat users are low-level criminals, it is also frequently used in targeted political attacks in the Middle East.

A Youtube guide for using njRat

The #2 ranked malware, NetWire, is primarily used by low-end criminals to steal banking details. Again, it is a freely available tool and has also been abused by targeted attackers too.

The top malware we saw for Linux was China ELF DDoS.

We saw little malware for Mac, though the adware MacKeeper was popular.

Which malware domains are observed the most frequently?

We matched known malicious domains from AlienVault OTX against Umbrella DNS’s record of the most visited domains by their customers.

From that we produced this table of the “most popular malicious domains”:

OTX Malware ranking by Domain

The column “rank” indicates how popular each malicious domain is - for example google.com has a rank of 1 as it is the most popular domain.

Generally it’s a bad idea for attackers to use a single domain for their malware. Security researchers or law enforcement can take control of the malicious domain and mitigate the infections. It’s notable that 4/10 of the most popular malicious domains were “sinkholed” by MalwareTech. He is notable for preventing the spread of WannaCry through quickly sinkholing the WannaCry connectivity check domain.

It’s interesting to see the domain that WannaCry uses for connectivity checks still ranking significantly. I’m unsure of the delay in how long domains remain valid for in the Umbrella data-set.

We see njRat prominently again – with both njRat and the somewhat related H-Worm pointing to iamback.ddns[.]net. It’s likely that most of these infections are H-Worm. H-Worm is an extremely simple worm written in VisualBasic script that remains prevalent in organisations with a poor security posture.

The rest of the top malicious domains are primarily Adware that is bad enough to make it into a vendor report and so marked as malicious in OTX. But also not so bad that it can be installed on many machines before being classed as malicious.

Which malware samples do we collect the most?

The following table describes the number of samples for each malware family we collected in the previous 24 hours:

As this data is a count of unique file hashes, it’s heavily biased towards polymorphic malware that produces a different file hash for each sample. As a result it isn’t a reliable indicator of which malware families are most prevalent. Similar results are seen by ShadowServer.

Stay tuned for part 3 of this OTX blog series, when we’ll talk about threat actors!

Share this with others

Get price Free trial