October 2019’s Most Wanted Malware: the Decline of Cryptominers Continues, as Emotet Botnet Expands Rapidly

In October, the research team has reported that for the first time in almost two years, cryptomining malware no longer tops the ‘most wanted’ list. Cryptominers’ usage has been declining steadily since peaking in early 2018.  In January and February of 2018, over 50% of organizations globally were impacted by cryptominers, falling to 30% of organizations in January 2019.  In October 2019, cryptominers impacted just 11% of organizations worldwide.

October’s most wanted malware was the Emotet botnet, up from 5th place in September and impacting 14% of organizations globally.  At the end of the month, Emotet was spreading a Halloween-themed spam campaign. The emails had subjects such as “Happy Halloween” and “Halloween Party Invitation”, which included a malicious attachment with a Halloween-themed file name.

In September, researchers saw that the Emotet botnet was reactivated after being dormant for three months, and it is now spreading new campaigns rapidly.  As such, it’s essential that organizations warn employees about the risks of phishing emails, and of opening email attachments or clicking on links that do not come from a trusted source or contact. They should also deploy latest generation anti-malware solutions that can automatically extract suspicious content from emails before they reach end-users.

October 2019’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

For the first time in almost two years one of the Cryptominers is not the most popular malware. This month Emotet is leading the top malware list with a global impact of 14%. In second place XMRig impacting 7% of organizations worldwide, closely followed by Trickbot impacting 6% of organizations.

  1. ↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was used as a banking Trojan, but more recently has been used as a distributor for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  3. ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  4. ↓ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  5. ↑ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  6. ↑ Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  7. ↑ Lokibot – Lokibot is an info-stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
  8. ↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  9. ↓ Formbook – Formbook is an info-stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  10. ↓ Cryptoloot – Cryptoloot is a crypto-miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new  currency. It was a competitor to Coinhive which asked for a smaller percentage of revenue from websites.

October’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Guerrilla is the most prevalence Mobile malware, followed by Lotoor and AndroidBauts.

  1. Guerrilla – An Android Trojan found embedded in multiple legitimate apps, which is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
  2. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  3. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.

October’s ‘Most Exploited’ vulnerabilities:

This month SQL injection techniques were the most common exploited vulnerability, impacting 36% of organizations globally. On second place OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability, closely followed by MVPower DVR Remote Code Execution – impacting 33% and 32% of organizations worldwide respectively.

  1. ↑  SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  3. ↓ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  4. ↑ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
  5. ↓ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  6. WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  7. Joomla Object Injection Remote Command Execution (CVE-2015-8562) – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
  8. Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  9. OpenSSL Padding Oracle Information Disclosure (CVE-2016-2107) – An information disclosure vulnerability exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session
  10. Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

The map below displays the risk index globally demonstrating the main risk areas and malware hotspots around the world.