Check Point Research, the threat intelligence arm of Check Point Software Technologies Ltd., has published its latest Global Threat Index for April 2019. The banking trojan Trickbot has returned to the Index’s top ten for the first time in almost two years.

Multi-purpose banking trojans such as Trickbot have been a popular choice for cyber criminals looking for financial gain. Trickbot campaigns increased sharply in April, with several American Tax Day-themed spam campaigns timed to coincide with the deadline for individual income tax returns in the United States. The spam campaigns spread Excel file attachments that downloaded Trickbot to victims’ computers to spread across networks, collect banking details, and possibly steal tax documents for fraudulent use.

While April’s three most common malware variants were cryptominers, the remaining seven of the Top 10 were multi-purpose trojans. This highlights the shift in tactics used by criminals to maximize their financial returns from campaigns, following the closure of several popular cryptomining services and the decline in cryptocurrency values over the past year.

“This month both Trickbot and Emotet made it to the top 10 malware list,” said Maya Horowitz, director, Threat Intelligence and Research, Check Point. “This is especially worrisome, given the fact that both botnets are nowadays used not only to steal private data and credentials but also to spread the Ryuk ransomware. Ryuk is notorious for targeting assets such as databases and backup servers, demanding a ransom of up to over a million dollars. As these (types of) malware constantly morph, it is crucial to have a robust line of defense against them with advanced threat prevention.”

April 2019’s Top 3 most wanted malware include:

• Cryptoloot, a cryptominer that uses the victim’s CPU or GPU power and existing resources for cryptomining adding transactions to the blockchain and releasing new currency. Originally a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
• XMRig is an open-source CPU mining software used to mine the Monero cryptocurrency and first seen in-the-wild May 2017.
• Jsecoin is a JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency, and other incentives.

This month Triada is the most prevalent mobile malware, replacing Hiddad at first place in the top mobile malware list. Lootor remains in second place, and Hiddad falls to third.

April’s Top 3 most wanted mobile malware:

• Triada is a modular backdoor for Android which grants superuser privileges to downloaded malware that helps it to embed into system processes. Triada has also been seen spoofing URLs loaded in browsers.
• Lotoor is a hack tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.
• Hiddad is an Android malware, which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however, it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.