September 2019’s Most Wanted Malware: Emotet Botnet Starts Spreading Spam Campaigns Again After Three-Month Silence

In September, the Emotet Botnet resumed activity again after a three-month break. We first reported the notorious botnet taking a break in June 2019, and that the offensive infrastructure had become active again in August.  Some of the Emotet spam campaigns featured emails which contained a link to download a malicious Word file, and some contained the malicious document itself. When opening the file, it lures the victims to enable the document’s macros, which then installs the Emotet malware on the victim’s computer. Emotet was the 5th most prevalent malware globally in September.

While it’s not clear why the Emotet botnet was dormant for 3 months, we can assume that the developers behind it were updating its features and capabilities. As such, it’s important that organizations warn employees about the risks of phishing emails, and of opening email attachments or clicking on links that do not come from a trusted source or contact. They should also consider deploying latest generation anti-malware solutions that can automatically extract suspicious content from emails before it reaches end-users.

September 2019’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

This month Jsecoin is leading the top malware list, impacting 8% of organizations worldwide. XMRig is the second most popular malware, followed by AgentTesla, both with a global impact of 7%.

  1. ↑ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  2. ↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  3. ↑ Agentesla – AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  4. ↑ Formbook – Formbook is an infoStealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  5. ↓ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and  Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  6. ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  7. ↑ Cryptoloot – Cryptoloot is crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new  currency. It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.
  8. ↓ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  9. ↓Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  10. ↓ Lokibot – Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

September’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalent mobile malware, followed by AndroidBauts and Hiddad.

  1. Lotoor – a hacking tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
  3. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

September’s ‘Most Exploited’ vulnerabilities:

This month, the MVPower DVR Remote Code Execution vulnerability leads the top exploited vulnerabilities list with a global impact of 37%. The Linux System Files Information Disclosure vulnerability is second, closely followed by the Web Server Exposed Git Repository Information Disclosure, with both impacting 35% of organizations around the world.

  1. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. ↑ Linux System Files Information Disclosure – Linux operating system contains system files with sensitive information. If not properly configured, remote attackers can view the information in the files.
  3. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  4. ↓  SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  5. ↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  6. Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  7. ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  8. ↓ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
  9. Joomla Object Injection Remote Command Execution) – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
  10. ↔ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.

The map below displays the risk index globally demonstrating the main risk areas and malware hotspots around the world.