Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Kelihos Becomes King of the Malware Mountain

The beginning of 2017 has brought a series of changes on the malware charts, as the Kelihos botnet managed to climb to the top position, while the Conficker worm dropped to fourth on the list.

The beginning of 2017 has brought a series of changes on the malware charts, as the Kelihos botnet managed to climb to the top position, while the Conficker worm dropped to fourth on the list.

An eight-year old threat, Conficker managed to remain one of the most active malware families out there last yearl, although it didn’t make it to the headlines as often as other threats. In 2015, however, the malware returned to focus briefly, after security researchers found that it had infected police body cameras.

Check Point’s latest threat report shows that Conficker is now the fourth most active malware out there, with Kelihos, HackerDefender, and Cryptowall occupying the first three positions. Conficker was the top threat in the security firm’s Top 10 “Most Wanted” malware list for quite some time.

The current leader, Kelihos, is yet another long-standing threat, one that managed to withstand several takedown attempts. In August last year, Kelihos infections registered a spike and the botnet tripled in size overnight, a clear sign that the actors behind it were considering ramping up activity. The botnet uses peer-to-peer communications, with each individual node acting as a command and control center.

Although the botnet was focused mainly on spamming stock pump and dump schemes or pharmaceutical scams, it was seen dropping malware as well, including ransomware such as MarsJoke, Wildfire, and Troldesh, as well as Trojans, including Panda Zeus, Nymain and Kronos. Most recently, security researchers observed that Kelihos was also capable of infecting removable USB drives to spread to new hosts.

The second top malware family is the HackerDefender user-mode rootkit for Windows, which can be used to hide files, processes and registry keys, as well as to implement a backdoor and port redirector. The third Most Wanted malware in January was CryptoWall, a piece of file-encrypting ransomware that uses AES encryption and the Tor anonymity network.

Nemucod (JavaScript or VBScript downloader), RookieUA (info stealer), Nivdort (multipurpose bot also known as Bayrob), Zeus (banking Trojan), Ramnit (banking Trojan), and Necurs (spam botnet mainly associated with the distribution of Locky), round up the Top 10 Most Wanted malware list.

The mobile threat landscape registered changes as well last month, as the Triada modular backdoor for Android secured the first position on the Top 3 Most Wanted mobile threats. Detailed in March last year, Triada was considered the most advanced mobile malware to date.

HummingBad, an Android Trojan capable of establishing a persistent rootkit on a device and installing additional applications, dropped to the second position. Dubbed HummingWhale, a new variant of this malware was discovered a couple of weeks ago, after it managed to infect 20 apps in Google Play and supposedly infect millions of devices.

Hiddad, a piece of Android malware that repackages legitimate apps and then releases them to a third-party store, is currently the third “most wanted” mobile threat. The malware, security researchers note, was designed to display ads but can also be used to gain access to key security details built into the OS, thus enabling the attacker to obtain sensitive user data.

“The wide range of threats seen during January utilizes all available tactics in the infection chain to try and gain a foothold on enterprise networks. To counter this organizations need advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, to ensure that they are adequately secured against the latest threats,” Check Point concludes.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...