Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Center for Internet Security: Top 10 malware in September 2020

ransomware
October 22, 2020

According to the Center for Internet Security (CIS), in September 2020, three malware returned to the Top 10: CoinMiner, CryptoWall, and Emotet. The Top 10 Malware variants composed 87% of Total Malware activity in September 2020, up from 78% in August 2020.

The increase, says CIS, is largely due to the recent Shlayer campaign ramping up, as the education year begins for universities and K-12 schools. "Due to the new education year, Shlayer is highly-likely to continue its prevalence in the Top 10 Malware for the coming months. Additionally, this month the MS-SIAC saw an increased number of Emotet alerts, as it reemerged from dormancy to continue malspam campaigns resulting in secondary Qakbot and TrickBot infections," CIS noted. 

September-2020-MS-ISAC-Malware-Notifications

 

September-2020-top-10-malware

"In September 2020, malvertisement accounted for the greatest number of alerts. Malvertisement continues to increase and stay as the top initial infection vector is due to Shlayer. Shlayer returned to the Top 10 Malware after new evidence resulted in it being reclassified as a Trojan Downloader compared to an Adware Dropper. Activity levels for all vectors, except malspam and network, increased. It is likely that malvertisement will remain the primary infection vector as the Shlayer campaign pans out," says CIS.

september-2020-top-10-malware-infection-vectors

 

The following information is detailed in the CIS blog, which can be found at https://www.cisecurity.org/blog/september-2020-top-10-malware/

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Currently Gh0st is the only malware being dropped.

Multiple – Malware that currently favors at least two vectors. CoinMiner, CryptoWall, and ZeuS are the only malware currently utilizing multiple vectors. ZeuS is dropped by other malware, but it is also delivered via malvertisement. 

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique Agent Tesla, Blaknight, Dridex, and Emotet. 

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer and SocGholish are the only Top 10 Malware using this technique.

Top 10 Malware and IOCs, according to CIS

Below are the Top 10 Malware ranked in order of prevalence. The respective Indicators of Compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants, says CIS. 

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern <api.random_name.com>. Below area few of the hundreds of domains used by Shlayer.

Domains

  • api.interfacecache[.]com
  • api.scalableunit[.]com
  • api.typicalconfig[.]com
  • api.standartanalog[.]com
  • api.fieldenumerator[.]com
  • api.practicalsprint[.]com
  • api.searchwebsvc[.]com
  • api.connectedtask[.]com
  • api.navigationbuffer[.]com
  • api.windowtask[.]com

2. SocGholish

SocGholish is a RAT and a banking trojan that uses fake Flash Updates to drop a NetSupport RAT payload. Recently, SocGholish has been used to drop WastedLocker ransomware, a new ransomware variant.

3. Gh0st

Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.

4. Agent Tesla

Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

5. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

6. Emotet

Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network.

Domains

  • 3ilogics[.]net
  • Carewanderlust[.]com
  • da-industrial[.]com
  • providedigital[.]com
  • ravi-tools[.]com
  • techiweek[.]com
  • transfersuvan[.]com
  • Executables
  • Etlxn1aff.exe
  • PortableDeviceSyncProvider.exe
  • Qigikm9u0.exe
  • spwinsat.exe
  • Xbuqklfzo.exe

SHA256 Hashes

  • 4e0b4745791983c83562f9aa62c2d5a9d1391ae981f62850457c8c7e5db42066
  • 5e2a6d3d08d6b7be5e18f9b6911b8a70e157812d3c0f09ce3f0cfda4ee24c350
  • a51ee6986ed41f896ee928522394eac24607d51da72580a2d219f3f871a1a2fd
  • ba7e60586692ed460080e69c570e773b06711c68e699f1f49da5bab11780db24
  • cb9fa076c152b43bf6144934c0db90d82803057013a15d526acbec0b6144e979
  • eba3ace46b88aad94a3879c3cb6cf843194ff99b8b32a9c934831f2e48de58aa
  • f7e32e69771b534468c971f63be5630bdbd4ec5feed1e0f91ce534dc51788790

IPs

  • 51.255.40[.]241
  • 85.214.28[.]226
  • 190.53.144[.]120
  • 198.57.203[.]63
  • 201.213.177[.]139
  • 45.230.228[.]26
  • 197.232.36[.]108
  • 181.137.229[.]1
  • 179.5.118[.]12
  • 190.96.15[.]50
  • 195.251.213[.]56
  • 172.91.208[.]86
  • 134.209.36[.]254
  • 181.169.34[.]190
  • 82.80.155[.]43
  • 220.245.198[.]194
  • 162.144.42[.]60
  • 188.219.31[.]12
  • 62.30.7[.]67
  • 162.241.242[.]173
  • 167.99.105[.]11
  • 71.72.196[.]159
  • 50.91.114[.]38
  • 104.156.59[.]7
  • 24.43.32[.]186
  • 38.111.46[.]46

7. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

Domains

  • Opaopa[.]info

IPs

  • 8.208.90[.]18

8. Blaknight

Blaknight, also known as HawkEye, is an Infostealer known for its keylogging capabilities for credential and banking theft.

Domains

  • Bot[.]whatismyipaddress[.]com

IPs

  • 66.171.248[.]178

9. CoinMiner

CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

SHA256 Hashes

  • a9e785de50216ab7987be7403d1bfcf4d7661ebcfdb8c27eb1525c919398ff7d

10. CoinMiner

Dridex is a banking trojan that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns.

Domains

  • Oneyearnovel[.]com

IPs

  • 167.99.20[.]6
  • 134.209.138[.]1
  • 167.172.120[.]137
  • 104.131.85[.]182
  • 159.89.253[.]159

KEYWORDS: cyber security information security internet security malware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Data on computer screen

    Most wanted malware: Glupteba in top 10 and Qbot in 1st place

    See More
  • Cyber Incident Recovery

    The top 10 Service exploits identified in 2020

    See More
  • SEC0819-Cyber-Feat-slide1_900px

    Center for Internet Security (CIS) celebrates 20th anniversary

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!