Our Top 10 Email Malware of All Time

Email is infamous as a common means for spreading malware, with spam and phishing messages used to trick users into installing malicious software on their computers. These emails leverage a number of different techniques to get their payload delivered onto computers, including malicious links, macros, embedded scripts, or just the malware itself cloaked in a zip archive.

In this article, we will review some of the most dangerous pieces of malware that ever existed and were spread via email. These malicious applications have been hugely damaging for their victims, and some continue to pose a real threat. Here is our top ten “most wanted” malware of all time—spread via email.

10. TrickBot (2016)

trojan horse.jpgThis is a banking Trojan, which mainly uses a macro-based malware that hides in .doc and .xls files. Very similar to Dyre Trojan, it was set up to target digital banking platforms used by US banks, before spreading further afield to the UK, Australia, New Zealand, Canada, and Germany. Currently, it only affects Windows computers and does not harm Mac, iPhone, iPad, Blackberry, Windows phone, or Android phone.

9. Emotet (2014)

This Trojan has also been seen in the banking world, targeting sensitive information, such as bank account details. It usually appears as a malicious spam email related to an invoice or payment notification with a direct download link to malware. Early this year, an Emotet attack cost the city of Allentown, PA, around $1 million. It is important to know these emails are often very difficult to block, unless the link follow option is enabled.

8. Hancitor (2014)

Also known as Chanitor, this is, to some extent, similar to the Emotet Trojan described above. It sends out malware links via a word document attachment. Most of the malicious web servers are located in the USA, while the majority of compromised domains are based in Asia.

7. Loki-Bot (2015)

This is a login credentials information stealer, which sends sensitive data from the infected computer. Unlike other trojans, it is difficult to identify specific patterns in the spam emails distributing Loki-Bot Trojan. However, more often than not, attachment invoices or .zip files with .exe or other executable files inside can be seen in the emails.

6. Duqu (2011)

Seen as the successor of Stuxnet back in 2011 when it first surfaced, Duqu has been leveraging a zero-day vulnerability in the Microsoft Windows TrueType Fonts and spreading via Word documents. In its second variant, it used spear-phishing, targeting Asia-Pacific businesses and their employees, and leveraged up to three zero-day vulnerabilities. It also deleted mailboxes and browser histories to cover its tracks.

5. Cridex (2012)

This Trojan, discovered in early 2012, is another strain of financial malware that steals banking credentials and sensitive information from infected machines. There have been reports of spam campaigns sent by the Cutwail botnet that bundled the Cridex malware back in early 2013. The email would include a link that would redirect users to a compromised legitimate website, that would then route the victim to the Blackhole Exploit Kit, which would deliver the final payload of Cridex.

4. Upatre (2013)

Shortly after the fall of the Blackhole Exploit Kit, Upatre surfaced, spreading via malicious email attachments or links inserted into emails that sent victims to a website hosting the malicious payload. Upatre also bundled several malware payloads such as: ZeuS, Crilock, Dyreza, and Rovnix, which severely damaged the security of infected computers.

3. Dyre (2014)

Dyre is a banking malware that made headlines after stealing more than $1 million in a single campaign and bypassing two-factor authentication security measures by persuading victims to contact the hackers and send the required information. Dyre is known for infecting its victims via spam emails; it lies in wait for the victim to log in to a bank website and steals his/her credentials. After infecting a computer, the malware converts it into a slave that sends out spam with the malicious attachment.

2. CryptoLocker (2013)

payransom.jpgCryptoLocker is some of the most prolific ransomware ever created by cybercriminals; it encrypts all files on infected computers and demands a ransom in Bitcoins (BTC) for the decryption keys. It used to infect computers via attachments sent in spam campaigns or by leveraging the Gameover ZeuS botnet.

1. Dridex Trojan (2014)

Dridex is a well-known banking Trojan that leverages malicious macros in Microsoft Office documents and steals banking credentials and other financial details of victims. Dridex is an update of Cridex, which was built on top of the ZeuS botnet. It began spreading in late 2014, generating almost 15,000 emails per day during the first spam campaign. Recently, the Dridex Trojan started to refocus its attacks on high-valued banking targets from the UK, leveraging malicious macros in an office document disguised as invoices during its phishing campaigns.

To help keep your network and computers protected, you need a multilayered security approach. Deploying a professional email security solution that filters all incoming as well as outgoing messaging is of great importance; however, this is only one part of your security strategy. A robust endpoint security solution is just as critical to help ensure you directly secure end-user devices. This is the optimal strategy to help you keep malware out.

Do you have something to add to our list?

Additional reading:

To find out how SolarWinds® Mail Assure can help you protect your systems, click here.

Sebastian Antonescu is the Technical Support Team Manger for Mail Assure and SpamExperts brands.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site