NjRat secures top spot as most active network malware in 2017

The most common Trojan found on today's networks is also, unfortunately, one that script kiddies delight in.
Written by Charlie Osborne, Contributing Writer

Researchers have compiled a list of the most common malware variants which may be active on networks today.

On Tuesday, security professionals from AlienVault posted the results of research into the top 10 malware threats that were recorded as active on networks in 2017, which includes a range of Trojans, ransomware, and malware which is tailored for stealing financial data.

Based on malware domains observed most frequently by Cisco's Umbrella DNS, the malware families with the highest numbers of individual samples and the malware most detected by the cybersecurity firm's customers, the njRat Trojan has come out on top.

NjRat: Particularly popular in the Middle East, this Remote Access Trojan (RAT) is a simple .NET backdoor is a favorite with amateurs. The bulk of users are low-level criminals and is often delivered in drive-by downloads or through phishing attacks. Variants of the Trojan often contain custom packets (.PDF) for avoiding traditional antivirus solutions and once deployed, the malware is able to hijack infected systems.

Netwire: Netwire came out as the second most persistent threat on networks in 2017. This malware, another Trojan, is primarily used to steal banking details such as credit card data. However, unlike other kinds of malicious code which target Point-of-Sale (PoS) systems, Netwire attempts to steal credentials through keylogging modules.

These are not the only malware families that the enterprise needs to be concerned about and remained protected against. The other malware samples which made the list are:

Bancos: An old Windows Trojan, Bancos attempts to replace Windows host files to redirect victims from pre-determined legitimate domains to malicious alternatives controlled by attackers. This malware is also most commonly associated with the theft of financial data.

PhaseBot: First spotted in 2015, PhaseBot uses PowerShell to run components that are encoded scripts it has hidden in the registry of a compromised system in order to conduct 'fileless' attacks.

Pushdo: Pushdo is a so-called downloader Trojan used as a conduit to download and execute additional payloads on infected systems. The malware is commonly found in mass-email phishing campaigns.

Asprox: Asprox finds its way onto a vulnerable system through phishing campaigns and drive-by downloads. If a system is exploited, it is joined into a botnet for the purposes of harvesting login credentials, enabling DDoS attacks, driving fake advertising traffic, and conducting SQL injections on unsecured sites.

Dunihi worm: This worm is commonly obfuscated and spreads through removable drives. Also known as Houdini, the malware connects to a C&C server to receive commands from its operators.

Ramnit: This prolific malware, connected to the theft of Facebook credentials in the past, the worm is described as a "multi-component malware family which infects Windows executable as well as HTML files" able to "steal sensitive information such as stored FTP credentials and browser cookies".

Gh0stRat: Variants of the Gh0stRat Trojan are also commonly active, targeting victims in the enterprise as well as core industrial players. The Trojan is used for surveillance, collecting system information, encrypting the collected information and sending it to C&C servers.

Locky: Locky, ransomware which keeps coming back time and time again, spreads through phishing campaigns and drive-by downloads. When executed on a vulnerable system, the malware encrypts files and demands a ransom payment in return for a decryption key.

"As this data is a count of unique file hashes, it's heavily biased towards polymorphic malware that produces a different file hash for each sample," AlienVault notes. "This data is biased towards families that we have named network detections for. That means this is a good representation of malware that is actively running on networks, though it's important to also review other statistics on malware that has been blocked from running."

AlienVault also compiled a list of known malicious domains which were visited the most online last year.

Generally, threat actors will use more than one domain to connect malware on infected systems with command and control (C&C) centers to conduct surveillance, deliver additional payloads, and hijack systems.


However, the researchers noted that the sinkholed domain for the notorious WannaCry ransomware was still being visited constantly over the course of 2017. (It is unknown how many of domains now remain valid as we have moved into 2018.)

"It's notable that 4/10 of the most popular malicious domains were sinkholed by MalwareTech," the team says. "He is notable for preventing the spread of WannaCry through quickly sinkholing the WannaCry connectivity check domain."

See also: Hacker jailed for DDoS attacks against Skype and Google

It is more important than ever that consumers and businesses alike invest in security and maintain good security practices to steer clear of these threats.

However, sometimes patches do not always go as planned. Intel's patch for the Spectre security flaw, for example, is now recommended to not be installed due to reboot errors.

5 things you should know about VPNs

Previous and related coverage

    Triton exploited zero-day flaw to target industrial systems

    Schneider Electric has revealed how the Trojan managed to disrupt core industrial systems in the Middle East.

    Dridex banking Trojan compromises FTP sites in new campaign

    The Trojan is back with a new technique to avoid detection by email gateways.

    Google awards researcher over $110,000 for Android exploit chain

    The bug bounty highlighted serious security issues in the Pixel smartphone.

      Editorial standards