pixel_dreams - Fotolia

RoughTed malvertising peaked in June, reveals Check Point

More than a quarter of organisations around the world were hit by a malvertising campaign in June 2017, according to security firm Check Point

The latest Check Point Global Threat Impact Index revealed that 28% of organisations globally were affected by the RoughTed malicious advertising campaign in June.

The large-scale malvertising campaign delivers links to malicious websites and payloads such as scams, adware, exploit kits and ransomware.

RoughTed began to spike in late May, before continuing to peak in June, affecting organisations in 150 countries. It can be used to attack any type of platform or operating system, and uses ad-blocker bypassing and fingerprinting to deliver the most relevant attack.

The most affected organisations were in the communications, education, retail and wholesale sectors.

According to Check Point, malvertising-related infection rates have spiked in recent months, as attackers only have to compromise one online ad provider to reach a wide range of victims. This means little effort is involved, as there is no need to maintain a heavy distribution infrastructure for the malware.

Second placed Fireball, which affected 20% of organisations in May, declined sharply in June, affecting only 5% of businesses. The Slammer worm was the third most common variant, affecting 4% of organisations.

Check Point said the three most prevalent pieces of malware in June highlighted the wide range of attack vectors and targets cyber criminals are utilising, affecting all stages of the infection chain. 

In contrast to RoughTed, Fireball takes over target browsers and turns them into zombies, which it can then use for a wide range of actions, including dropping additional malware or stealing valuable credentials. Slammer is a memory-resistant worm that can cause denial of service (DoS) attacks.

Read more about malware

The wide variety of attack vectors used is reflected throughout the top 10 list of common malware in June, which included the Cryptowall and Jaff ransomware, HackerDefender (a user mode root kit used to hide files) and the Zeus banking Trojan.

In mobile malware, Hummingbad was the most common form of malware, closely followed by Hiddad and Lotoor. All three target the Android mobile operating system.

Hummingbad establishes a persistent rootkit on the mobile device, installs fraudulent applications and, with slight modifications, could enable additional malicious activity such as installing a keylogger, stealing credentials and bypassing encrypted email containers used by enterprises.

Hiddad repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it is also able to gain access to key security details built into the operating system, allowing an attacker to obtain sensitive user data.

Lotoor is a hack tool that exploits vulnerabilities on the operating system to gain root privileges on compromised mobile devices.

“Organisations need to ensure their security infrastructures are robustly protect against all tactics and methods used by cyber criminals”
Maya Horowitz, Check Point

“Throughout May and June [2017] organisations have been heavily focused on ensuring that they are protected against ransomware, in response to the high-profile WannaCry and Petya attacks,” said Maya Horowitz, threat intelligence, group manager at Check Point.

“However, the wide variety of attack vectors being utilised in this month’s index serves as a reminder to organisations that they need to ensure their security infrastructures are robustly protect against all tactics and methods used by cyber criminals,” he said.

According to Horowitz, organisations in every industry sector need a multi-layered approach to their cyber security to protect against the widest range of continually evolving attack types and zero-day malware variants.

Read more on Hackers and cybercrime prevention