Cryptocurrency Mining Malware Still Dominates the Malware Threat Landscape

The latest Global Threat Index report from Check Point shows cryptocurrency mining malware continues to be the biggest malware threat, even with the demise of Coinminer.

Coinminer has topped the list of the most prevalent malware since December 2017. Coinminer is no longer active, but its code is still present on many websites and could be reactivated at any point.  In its place, is another cryptocurrency mining malware variant – Cryptoloot.

Check Point notes the falling value of cryptocurrencies is making coin-mining malware less profitable. Cybercriminals are now shifting their focus slightly and are concentrating on attacking cloud environments which allow coin mining to take place at much higher volumes due to the scalability of the cloud.

Several organizations have discovered that their cloud resources have been eaten up by coin mining, causing them hundreds of thousands of dollars in losses when compute resources have been hijacked by cryptocurrency miners.

These cloud attacks show how important it is for organizations to secure their cloud environments and monitor their compute resources and to quickly identify any possible coin mining activity. Waiting until the end of the month when cloud bills come through could prove incredibly costly.

Check Point’s ‘Most Wanted’ Malware Top Ten for March 2019

  1. Cryptoloot – Cryptocurrency miner
  2. Emotet – Banking Trojan
  3. XMRig – Cryptocurrency miner
  4. Dorkbot – IRC Worm
  5. Jsecoin – Cryptocurrency miner
  6. Coinhive – Cryptocurrency miner
  7. Ramnit – Banking Trojan
  8. Nivdort – Multipurpose bit with information stealing capabilities
  9. Lokibot – Information Stealer
  10. Mirai – IoT Botnet

The top three mobile malware threats remain unchanged, other than the first two threats swapping places. Topping the list is now Hiddad – An Android malware that is used to serve adds and steal sensitive information. The Lotoor hacking tool is in second place, followed by the Triada Android backdoor which gives an attacker super user privileges and allows the installation of further malware on an infected device.

The most commonly exploited vulnerability is still CVE-2017-7269 – A Microsoft IIS WebDAV ScStoragePathFromUrl buffer overflow vulnerability. In second place is a web server exposed git repository information disclosure vulnerability, followed by the OpenSSL TLS DTLS heartbeat information disclosure vulnerabilities: CVE-2014-0160 and CVE-2014-0346.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of