May’s Most Wanted Malware: Ursnif Banking Trojan Ranks On Top 10 Malware List for First Time, Over Doubling Its Impact On Organizations

Check Point’s researchers find sharp increase in attacks using the long-running Ursnif banking trojan capable of stealing email and banking credentials

Our latest Global Threat Index for May 2020 has found several malicious spam campaigns distributing the Ursnif banking trojan, which caused it to jump up 19 places to 5th in the Top Malware list, doubling its impact on organizations worldwide

The Ursnif banking trojan targets Windows PCs and is capable of stealing vital financial information, email credentials and other sensitive data. The malware is delivered in malicious spam campaigns via Word or Excel attachments. The new wave of Ursnif trojan attacks – which saw it enter the Top Malware index’s top 10 for the first time – coincides with reports about the demise of one of its popular variants, Dreambot. Dreambot was first spotted in 2014 and is based on Ursnif’s leaked source code. However, since March 2020, Dreambot’s backend server has gone down, and no new Dreambot samples have been seen in the wild.

Meanwhile, the well-known banking trojan Dridex, which entered the malware top 10 for the first time in March, continued to have a significant impact throughout May, remaining in 1^st place for the second month running.The most prevalent mobile malware families also completely changed in May, with Android malware that generates fraudulent revenue from clicking on mobile adverts dominating the mobile index – showing how criminals are trying to monetize attacks against mobile devices.

Check Point researcher’s warn that with the Dridex, Agent Tesla and Ursnif banking trojans all ranking in the malware top 5  in May, it is clear cyber criminals are focusing on using malware that enables them to monetize their victim’s data and credentials.  While COVID-19-related attacks have fallen, we have seen

a 16% increase in overall cyber-attacks in May compared to March and April, so organizations must remain vigilant by using certain tools and techniques, especially with the mass shift to remote working, which attackers are taking advantage of.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Dridex remains in 1st place, impacting 4% of organizations globally, followed by Agent Tesla and XMRig, both impacting 3% of organizations worldwide.

1. ↔ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
2. ↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
3. ↓ XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
4. ↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
5. ↑ Ursnif – Ursnif is a Trojan that targets the Windows platform and steals information and credentials for banking and email accounts. Moreover, it downloads and executes files on the infected system.
6. ↑ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
7. ↓ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
8. ↓ Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
9. ↑ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
10. ↑ Lokibot – Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” is still holding 1^st place as the most common exploited vulnerability, impacting 45% of organizations globally. The second most popular exploited vulnerability is “OpenSSL TLS DTLS Heartbeat Information Disclosure”, closely followed by “Web Server Exposed Git Repository Information Disclosure” impacting 40% and 39% of organizations respectively.

1. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
4. ↔ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
5. ↑ Draytek Vigor Command Injection (CVE-2020-8515) – A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
6. ↑ Apache Struts2 Content-Type Remote Code Execution – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information
7. ↓PHP DIESCAN information disclosure – An Information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
8. ↑ OpenSSL Padding Oracle Information Disclosure – An information disclosure vulnerability that exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session.
9. ↑ PHP php-cgi Query String Parameter Code Execution – A remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
10. ↓ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.

Top malware families – Mobile

This month, the top three malware families completely changed, with PreAmo in 1st place as the most prevalent Mobile malware, followed by Necro and Hiddad.

1. PreAmo – PreAmo is an Android Malware imitates the user by clicking on banners retrieved from three ad agencies: Presage, Admob, and Mopub.
2. Necro – Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions.
3. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.