November 2019’s Most Wanted Malware: Researchers Warn of Fast-growing Mobile Threat While Emotet’s Impact Declines

Check Point’s researchers report that the XHelper mobile trojan is spreading so fast, it has entered the overall top 10 malware list at #8 as well as being the biggest threat impacting mobiles

Our latest Global Threat Index for November 2019 marks the first time in over three years that a mobile trojan has entered the overall top malware listing, as well as being the most prevalent mobile threat over the past month.  The mobile trojan is XHelper, which was first seen in the wild in March 2019.

XHelper is a multi-purpose Android trojan that can download other malicious applications as well as displaying malicious advertisements.  It is also reported to be a persistent application, able to reinstall itself even if it is uninstalled by the victim. During the past six months the malware’s code has been constantly updated, helping it to evade mobile antivirus solutions and to keep on infecting new victims.  As a result, it has entered the overall top 10 malware list at #8.

November’s most wanted malware was the Emotet botnet, retaining the #1 position from October.  However, in November, it impacted 9% of organizations globally, down from 14% the previous month.

Both Emotet and XHelper are versatile, multi-purpose malware that can be adapted to criminals’ needs, such as distributing ransomware, spreading spam campaigns or distributing malvertising to users’ devices. This shows that criminals are trying multiple different illicit tactics to monetize their operations, rather than following a single trend like cryptomining which dominated the malware sector in 2018.  It’s essential that organizations deploy latest generation anti-malware solutions on their networks as well as on employees’ mobile devices, to protect all enterprise endpoints. They should also educate employees about the dangers of opening email attachments, downloading resources or clicking on links that do not come from a trusted source or contact.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

Emotet has maintained its position at the top of the malware list with a global impact of 9%. XMRig was the second most popular malware impacting 7% of organizations worldwide, followed by Trickbot, impacting 6% of organizations globally.

  1. Emotet – Emotet is an advanced, self-propagating modular Trojan. Emotet was originally used as a banking Trojan, and more recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↔ XMRig – XMRig is an open-source CPU mining software used for mining the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  3.     ↔ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  4.     ↑ Formbook – Formbook is an info-stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  1. ↔ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.
  2.    ↔ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  1.    ↑ Vidar – Vidar is an info-stealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar has been sold on various online forums and used as a malware dropper that downloads GandCrab ransomware as its secondary payload.
  2. XHelper – XHelper is a malicious application targeting Android devices seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is also capable of hiding itself from the user and from mobile anti-virus programs.
  3.    Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. Agent Tesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  4. ↑ Glupteba – Glupteba is a malware dropper with a varied capabilities- it collects system information, stealth browser information including the victim’s credentials and is able to transform the infected machine into a cryptomining bot. Glupteba is also capable of exploiting MikroTik routers and configure it as SOCKS proxy.

Top exploited vulnerabilities

This month the three top exploited remained the same as in the previous month – SQL injection techniques continue to lead the list, impacting 39% of organizations globally, followed by the OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability and MVPower DVR Remote Code Execution – impacting 34% and 33% of organizations worldwide respectively.

  1. ↔  SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to applications, while exploiting a security vulnerability in an application’s software.
  1.    ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  1. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. ↑ Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  3.   ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
  1.   ↓ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
  1.    ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  2.   ↓ Joomla Object Injection Remote Command Execution (CVE-2015-8562) – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
  1.    Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  1. ↓ OpenSSL Padding Oracle Information Disclosure (CVE-2016-2107) – An information disclosure vulnerability exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session

Top malware families- Mobile

This month xHelper – a new entry to our top malware list – was the most prevalent mobile malware, followed by Guerilla and Lotoor.

  1. xHelper – A malicious Android application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and mobile anti-virus programs, and reinstalls itself if the user uninstalls it.
  2. Guerrilla –  An Android Trojan found embedded in multiple legitimate apps which is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
  3. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.