July’s Most Wanted Malware: RoughTed and Fireball Decrease, But Stay Most Prevalent

August 21, 2017


Check Point’s latest Global Threat Impact Index reveals that that the number of organizations impacted globally by the RoughTed malvertising campaign fell by over a third during July, from 28% to 18%.

RoughTed is a large-scale malvertising campaign used to deliver malicious websites and payloads such as scams, adware, exploit kits and ransomware. Despite its drop-off, RoughTed remained the most prevalent form of malware during July. Second was HackerDefender, a user-mode rootkit for Windows, which affected 5% of companies.

The Index also revealed a sharp decline in the prevalence of Fireball, which dropped to third place in the rankings. In July, it impacted 4.5% or organizations, down from 20% of organizations only two months ago. During the month it was reported that the Chinese authorities arrested the suspected distributors of the malware. The publicity following the arrest along with the research published on Fireball coincides with the massive decrease of logs in June and. There seems to be two trends that impacted Fireball’s distribution during the past few months:

  1. The arrest – although the arrest was made public recently, it has taken place in June after the research was published – so in fact, it can be the reason for the decrease in the amount of logs on June and July together.
  2. Awareness – the publication of Fireball led to a rise in the awareness of internet users to the dangers Fireball, as well as other adware, pose. As a result, many users took action and uninstalled the malware (we also published a removal manual).

July’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ RoughTed – Large-scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  2. ↑ HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. ↓ Fireball – Browser-hijacker that can be turned into a full-functioning malware downloader. It is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
  4. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  5. ↑ Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  6. ↓ Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  7. ↑ Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  8. ↑ Pykspa – Worm that spreads itself by sending instant messages to contacts on Skype. It extracts personal user information from the machine and communicates with remote servers by using a Domain Generation Algorithms (DGA).
  9. ↑ Pushdo – Trojan used to infect a system and then download the Cutwail spam module and can also be used to install additional third party malware.
  10. ↑ Hancitor – Downloader used to install malicious payloads (such as Banking Trojans and Ransomware) on infected machines. Also known as Chanitor, Hancitor is usually delivered as a macro enables Office document in Phishing emails with “important” messages such as voicemails, faxes or invoices.

For the first time in 2017, Hummingbad did not appear in the top three of the most common mobile malware. Spyware TheTruthSpy became the most impactful form on organizations mobile estates – followed by Lootor and Triada:

July’s Top 3 ‘Most Wanted’ mobile malware:

  1. TheTruthSpy – Mobile spyware which can be installed in stealth mode and used to track and record data from a device.
  2. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  3. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

It’s encouraging to see highly infectious malware variants impact fewer organizations, but it is critical that organizations realize this doesn’t mean it’s time to drop their guard. Despite RoughTed’s drop, nearly one in five organizations was still impacted by it during July.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, a collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

Check Point’s Threat Prevention Resources are available at:



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks