April’s Most Wanted Malware: Exploit Kit Attacks Continue, While Slammer Worm Resurfaces Again

May 17, 2017

May 17, 2017

Check Point’s latest Global Threat Impact Index detected a continued increase in the number of organizations being targeted with Exploit Kits, as Rig EK became the most prevalent form of attack, while there was also a resurgence in the Slammer worm detected, with 4% of businesses impacted.

Slammer resurfaced following a short hiatus, jumping back into the top three most popular malware families. The Slammer worm first emerged in 2003 and spread extremely rapidly.  It was developed to target Microsoft SQL 2000, and propagated so quickly that it was able to cause a denial of service condition on some affected targets. This is the second time the worm has entered the malware top ten in recent months, showing how even decades-old malware can successfully resurface.

It’s the second month running that seemingly outdated malware variants have reappeared, following the reemergence in March 2017 of Exploit Kits, that are designed to discover and exploit vulnerabilities on machines in order to download and execute further malicious code.  This trend underlines how important it is to remain vigilant for a broad spread of threats and attack vectors, even those that appear to have fallen out of general usage.

The top ten global malware families reveal a wide range of attack vectors and targets, which impact all stages of the infection chain.  The most common malware in April were Rig EK and HackerDefender, impacting 5% and 4.5% of organizations worldwide respectively, while the Slammer worm came in third impacting 4% of organizations.


April 2017’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

  1. ↑ Rig EK – Exploit Kit first introduced in 2014. Rig delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
  2. ↓ HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. ↑ Slammer – Memory resistant worm targeted to attack Microsoft SQL 2000. By propagating rapidly, the worm can cause a denial of service condition on affected targets.
  4. ↓ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  5. ↓ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  6. ↓ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  7. ↑  Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  8. ↑  Sality – Virus that allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system and provide means for remote control and installing further malware.
  9. ↑  Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.
  10. ↑ Gamarue – Used to download and install new versions of malicious programs, including Trojans and AdWare, on victim computers.


In mobile malware, the two families remained the same as in March, while Lotoor climbed back into the top three.

Top 3 ‘Most Wanted’ mobile malware:

  1. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  3. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.


Cybercriminals will always choose to adapt the tools they already have at their disposal if possible, rather than developing brand new ones, simply because it’s faster and more cost-effective. It’s a vital warning to organizations in multiple sectors – you must remain vigilant and deploy sophisticated security systems that protect against a wide range of attack types, such as Check Point’s SandBlast™ Zero-Day Protection and Mobile Threat Prevention.


The ThreatCloud Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.


The map displays the risk index globally (green – low risk, red- high risk, white – insufficient data), demonstrating the main risk areas around the world





  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks