November 2018’s Most Wanted Malware: The Rise of the Thanksgiving Day Botnet

Check Point’s latest Global Threat Index reveals the Emotet botnet rising through the top malware list after several seasonal campaigns, as Coinhive remains at no.1 for 12th consecutive month

 

Check Point’s researchers identified a number of seasonal campaigns in November that distributed the Emotet botnet.  The index reveals that the Emotet botnet has entered the Index’s top 10 in 7th place after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign.

 

The Emotet botnet was once used as a banking Trojan, but its use has recently shifted since it allows attackers to deploy other malware and malicious campaigns. It is designed with persistence and evasion in mind. Its distribution through emails containing Thanksgiving-themed subject lines, links and attachments has seen its prevalence increase by 25% compared to last month.

 

The top ten list is now populated by four cryptominers, as these make way for more multi-purpose malware that can deliver various payloads in one go. Meanwhile, Coinhive has now led the Index for one year, since December 2017. Coinhive alone has impacted 24% of organizations worldwide in the last 12 months, while cryptomining malware had an overall global impact of 38%.

 

November 2018’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

  1. ↔ Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval, and without sharing the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
  2. ↔ Cryptoloot – Cryptominer, using the victim’s CPU or GPU power and existing resources for cryptomining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
  3. ↑ Andromeda – Modular bot used mainly as a backdoor to deliver additional malware on infected hosts, but can be modified to create different types of botnets.
  4. ↔ Roughted – Large scale Malvertising used to deliver various malicious websites and payloads such as scams, adware, exploit kits and ransomware. It can be used to attack any type of platform and operating system, and utilizes ad-blocker bypassing and fingerprinting in order to make sure it delivers the most relevant attack.
  5. ↓ Dorkbot- IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  6. ↔ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  7. ↑ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  8. ↑ Conficker- Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  9. ↓ XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  10. ↑ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.

 

Triada, the modular backdoor for Android has retained first place in the top mobile malware list. Hiddad has climbed to second place, replacing Android banking Trojan and info-stealer Lokibot, which has fallen to third place.

 

November’s Top 3 ‘Most Wanted’ mobile malware:

  1. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  3. Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.

 

Check Point researchers also analyzed the most exploited cyber vulnerabilities. Once again, CVE-2017-7269 remains in first place of the top exploited vulnerabilities list, with a global impact of 48% of organizations. OpenSSL TLS DTLS Heartbeat Information Disclosure keeps its second place with a global impact of 44%.  CVE-2016-6309, a vulnerability in the tls_get_message_body function of OpenSSL is in third place, impacting 42% of organizations.

 

November’s Top 3 ‘Most Exploited’ vulnerabilities:

  1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
  1. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  1. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) – A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.

 

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

 

 

Check Point’s Threat Prevention Resources are available at:  https://www.checkpoint.com/threat-prevention-resources/index.html