June 2019’s Most Wanted Malware: Emotet Takes a Break, but Possibly Not for Long

In June, the most significant change in the threat landscape was not an increase in attacks or a new type of malware, but the absence of one of the most prominent threats of the last few months – Emotet.


Emotet first came to attention of researchers in 2014 as a banking trojan, and since 2018 has been used mainly as a Botnet. In fact, it has been the largest Botnet currently in operation and listed in the top 5 malware globally during the first six months of 2019.


Our researchers have confirmed that there have been no new campaigns seen for the majority of June, and they estimate that Emotet’s infrastructure is likely to be offline for maintenance and upgrade operations. This means that as soon as its servers are up and running again, Emotet will be active once more with new, enhanced threat capabilities.



June 2019’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.


The three most prominent Cryptominers still leading the list, this month XMRig was the most prominent malware impacting 4% of organizations worldwide, closely followed by Jsecoin and Cryptoloot, both impacting 3% of organizations globally.


  1. ↑ XMRig – Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.


  1. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.


  1. ↓ Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.


  1. ↑ Dorkbot – IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.


  1. ↓ Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and  Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.


  1. ↓ Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.


  1. ↑ Hawkeye – Hawkeye is an Info Stealer malware, designed primarily to steal users’ credentials from infected Windows platforms and deliver them to a C&C server. In the past years, Hawkeye has gained the ability to take screenshots, spread via USB and more in addition to its original functions of email and web browser password stealing and keylogging. Hawkeye is often sold as a MaaS (Malware as a Service).


  1. Nanocore – NanoCore is a Remote Access Trojan, which feature base plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.


  1. ↑Formbook – FormBook is an InfoStealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.


  1. ↓  Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.



June’s Top 3 ‘Most Wanted’ Mobile Malware:



Lotoor keeps leading the mobile top malware list, followed by Triada and Ztorg- a new malware in the top list.


  1. Lotoor– Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.


  1. Triada– Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.


  1. Ztorg– Trojans in the Ztorg family obtain escalated privileges on Android devices and install themselves in the system directory. The malware is able to install any other application on the device.


June’s ‘Most Exploited’ vulnerabilities:


In June we saw SQL Injections techniques keep leading the top exploits vulnerabilities list with a global impact of 52%. OpenSSL TLS DTLS Heartbeat Information Disclosure  ranked second impacting 43% of organization globally, closely followed by CVE-2015-8562 with a global impact of 41% of organizations worldwide.


  1. SQL Injection (several techniques)- Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.


  1.    ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.


  1. Joomla Object Injection Remote Command Execution  (CVE-2015-8562) – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.


  1. ↓ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.


  1. ↑ PHP DIESCAN information disclosure– An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.


  1. ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass– An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.


  1. ↑ Command Injection Over HTTP– A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.


  1. ↓ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.


  1. ↓ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.


  1. ↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.



The map below displays the risk index globally demonstrating the main risk areas and malware hot-spots around the world.



Check Point’s Threat Prevention Resources are available at:  http://www.checkpoint.com/threat-prevention-resources/index.html