January 2019’s Most Wanted Malware: A New Threat Speaks Up

Check Point’s latest Global Threat Index sees emergence of SpeakUp – the Linux Trojan that’s undetectable by anti-virus software

In January, our researchers detected a new campaign exploiting Linux servers to distribute a backdoor Trojan, dubbed SpeakUp. SpeakUp is capable of delivering any payload and executing it on compromised machines, and evades detection by all security vendors’ anti-virus software.

SpeakUp currently delivers XMRig Miner, and has been propagated through a series of exploitations based on commands it receives from its control center. So far, it has mostly infected machines in East Asia and Latin America, including some AWS hosted servers.

Threats like SpeakUp are a stark warning of bigger threats to come since they can evade detection and then distribute further, potentially more dangerous malware to compromised machines. Since Linux is used extensively in enterprise servers, SpeakUp may be a threat that will grow in scale and severity throughout the year. Our researchers have produced a detailed technical overview of the threat that SpeakUp presents to enterprise in a previous blog.

Cryptominers remain prevalent, once again filling the top 4 positions in the index and Coinhive maintaining its place at the top of the list. Damaging, multi-purpose malware forms are still prevalent, with half of all malware forms in the top ten currently able to download further malware to infected machines and distribute a variety of threats.

January 2019’s Top 10 ‘Most Wanted’:

*The arrows relate to the change in rank compared to the previous month.

1. ↔ Coinhive – Cryptominer designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval, and without sharing the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
2. ↔ XMRig – Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
3. ↑ Cryptoloot – Cryptominer, using the victim’s CPU or GPU power and existing resources for cryptomining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
4. ↓ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
5. ↔ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
6. ↔ Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
7. ↔ Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
8. ↑ Lokibot– Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
9. ↑ Gandcrab- GandCrab is a ransomware distributed via the RIG and GrandSoft Exploit Kits, as well as email spam. The ransomware is operated in an affiliates program, with those joining the program paying 30%-40% of the ransom revenues to the GandCrab author. In return, affiliates get a full-featured web panel and technical support.
10. ↓ Ramnit– Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

Hiddad, the modular backdoor for Android which grants privileges to downloaded malware, has replaced Triada at first place in the top mobile malware list. Lotoor follows in second place, while Triada has fallen to third place.

January’s Top 3 ‘Most Wanted’ Mobile Malware:

1. Hiddad – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes.
2. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
3. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.

Check Point researchers also analyzed the most exploited cyber vulnerabilities. CVE-2017-7269 remained in first place with a global impact of 47%. Following closely behind, Web Server Exposed Git Repository Information Disclosure was in second place and OpenSSL TLS DTLS Heartbeat Information Disclosure followed in third, impacting 46% and 45% of organizations around the world respectively.

January’s Top 3 ‘Most Exploited’ vulnerabilities:

1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. ↑ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
3. ↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

The map below displays the risk index globally (green – low risk, red- high risk, grey – insufficient data), demonstrating the main risk areas and malware hot-spots around the world.

Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html