February 2020’s Most Wanted Malware: Increase in Exploits Spreading the Mirai Botnet to IoT Devices

Check Point Research also reports that Emotet has been spreading via new SMS phishing Campaign

Our latest Global Threat Index for February 2020 shows a large increase in exploitation of a vulnerability to spread the Mirai botnet, which is notorious for targeting Internet-of-Things (IoT) devices, such as web cameras, modems and routers, and for conducting massive DDoS attacks.

The “PHP php-cgi Query String Parameter Code Execution” vulnerability, ranked 6th in the top exploited vulnerabilities and impacted 20% of organizations worldwide, compared to just 2% in January 2020.

The February report also identified that Emotet, the second most popular malware this month and the most widespread botnet operating currently, has been spreading using two new vectors during February. The first was an SMS Phishing (smishing) campaign targeting users in the U.S.: the SMS impersonates messages from popular banks, luring victims to click a malicious link which downloads Emotet to their device. The second vector is Emotet detecting and leveraging nearby Wi-Fi networks to spread via brute force attacks using a range of commonly-used Wi-Fi passwords.  Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

Emotet impacted 7% of organizations globally in February, down from 13% in January, when it was being spread via spam campaigns including Coronavirus-themed campaigns.  This highlights how quickly cyber-criminals change the themes of their attacks to try and maximise infection rates, and how organizations need to ensure they are educated about how to identify different types of malicious spam.  Overall, the most impactful threats and exploits during February showed how criminals are aiming to build the largest possible networks of infected devices, which they can then exploit and monetize in a range of different ways, from ransomware delivery to launching DDoS attacks.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month XMRig moved up to first place, impacting 7% of organizations globally, followed by Emotet and Jsecoin impacting 6% and 5% of organizations worldwide respectively.

  1. ↑ XMRig– XMRig is an open-source CPU mining software used for mining the Monero cryptocurrency and was first seen in-the-wild on May 2017.
  2. ↓ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be primarily a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence, and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  3. ↑ Jsecoin – Jsecoin is a web-based Crypto miner designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user machines¿ computational resources to mine coins, thus impacting the system performance.
  4. ↓ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  5. ↑ Lokibot – Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
  6. ↓ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  7. ↓ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  8. ↓Formbook – Formbook is an infoStealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  9. ↑ Vidar – Vidar is an infostealer that targets Windows operating systems. it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets
  10. ↑ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.

Top exploited vulnerabilities

This month, the “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, impacting 31% of organizations globally, closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 28%.  In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 27% of organizations worldwide.

  1. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  3. PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
  4. ↔ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability allows remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  5. ↑ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  6. ↑ PHP php-cgi Query String Parameter Code Execution – A remote code execution vulnerability reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
  7. ↓ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability that has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  8. ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability that exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  9. ↓ Command Injection Over HTTP- A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  10. ↑ Web Server Enforcement Violation

Top malware families – Mobile

This month xHelper retained the 1st place in the most prevalent mobile malware, followed by Hiddad and Guerrilla.

  1. xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
  2. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  3. Guerrilla– Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.