December 2019’s Most Wanted Malware: Greta Thunberg-themed Spam Used to Spread Emotet Malware

Check Point’s researchers also report sharp increase in exploits against the ‘Command Injection Over HTTP’ vulnerability, impacting 33% of organizations globally

Our latest Global Threat Index for December 2019 shows that Emotet was the leading malware family for the third month running, and was being spread using a range of spam email campaigns including ‘Christmas wishes from Greta Thunberg,’ and ‘Christmas Party invitation.’

The emails in both campaigns contained a malicious Microsoft Word document which, if opened by the recipient, attempts to download Emotet onto their computer. Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

December also saw a significant increase in attempts to exploit the ‘Command Injection Over HTTP’ vulnerability, with 33% of organizations globally being targeted.  This vulnerability rose from being the 5th most exploited in November to the top position last month. If successfully exploited, the payload was a DDoS botnet:  the malicious file used in the attack also contained a number of links to payloads exploiting vulnerabilities in several IoT devices from manufacturers including D-Link, Huawei and RealTek, with the aim of recruiting these devices into botnets.

Over the past three months, the main threats impacting most organizations have been versatile, multi-purpose malware like Emotet and xHelper. These give cyber-criminals multiple options for monetizing attacks, as they can be used for distributing ransomware or spreading further spam campaigns.  As the aim for criminals is to get a foothold in as many organizations and devices as possible, so that their subsequent attacks can be more lucrative and damaging, it’s critical that organizations educate their employees about the risks of opening email attachments, downloading resources or clicking on links that do not come from a trusted source or contact.

December 2019’s Top 10 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

This month Emotet retains 1st place, impacting 13% of organizations globally. In 2nd  place is XMRig, closely followed by Trickbot, with both impacting 7% of organizations globally.

  1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↔ XMRig – XMRig is an open-source CPU mining software used for mining Monero cryptocurrency, first seen in-the-wild on May 2017.
  3. ↔ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  4. Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  5. ↑ Lokibot – Lokibot is an info-stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
  6. ↔ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  7. ↑ RigEK – RigEK delivers Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit
  8. ↓ Formbook – Formbook is an info-stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  9. ↑ Nanocore – NanoCore is a Remote Access Trojan that targets Windows users. All versions of the RAT feature base plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
  10. ↓ xHelper – Xhelper is a malicious application targeting Android devices seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is also capable of hiding itself from the user.

December’s ‘Most Exploited’ vulnerabilities:

This month the “Command Injection Over HTTP” was the most common exploited vulnerability, impacting 33% of organizations globally. In 2nd place was the MVPower DVR Remote Code Execution vulnerability, followed by Web Server Exposed Git Repository Information Disclosure – impacting 32% and 29% of organizations worldwide respectively.

  1. ↑  Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation allows an attacker to execute arbitrary code on the target machine.
  2. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  3. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  4. ↓  SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  5. ↑ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
  6. ↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  7. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  8. ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  9. ↓ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
  10. Joomla Object Injection Remote Command Execution (CVE-2015-8562) – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.

December’s most wanted mobile malware

This month xHelper retains 1st place in the most prevalent mobile malware, followed by Guerilla and Hiddad.

  1. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstall itself in case it was uninstalled.
  2. Guerrilla –  An Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
  3. Hiddad – An Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS