September 2020’s Most Wanted Malware: New Info-stealing Valak Variant Enters Top 10 Malware List For First Time

Check Point researchers find sharp increase in attacks using new Valak malware, while the Emotet trojan remains in 1st place for third consecutive month

Our latest Global Threat Index for September 2020 has revealed that an updated version of Valak malware has entered the Index for the first time, ranking as the 9th most prevalent malware.

First observed in late 2019, Valak is a sophisticated threat which was previously classified as a malware loader. In recent months, new variants were discovered with significant functional changes which enable Valak to operate as an information-stealer capable of targeting both individuals and enterprises.  This new version of Valak is able to steal sensitive information from Microsoft Exchange mail systems, as well as users’ credentials and domain certificates. During September, Valak was spread widely by malspam campaigns containing malicious .doc files.

The Emotet trojan remains in 1st place in the Index for the third month in succession, impacting 14% of organizations globally. The Qbot trojan, which entered the listing for the first time in August, was also widely used in September, rising from 10th to 6th in the index.

These new campaigns spreading Valak are another example of how threat actors look to maximize their investments in established, proven forms of malware. Together with the updated versions of Qbot which emerged in August, Valak is intended to enable data and credentials theft at scale from organizations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users, and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source.

The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organizations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” had a global impact of 36%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet remains the most popular malware with a global impact of 14% of organizations, followed by Trickbot and Dridex impacting 4% and 3% or organizations worldwide respectively.

  1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  3. ↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
  4. Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer which capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  5. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  6. ↑ Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
  7. ↔ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
  8. Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  9. ↑ Valak – Valak is a sophisticated malware previously classified as a malware loader. Though it was first observed in late 2019, it was lately discovered with changes which makes it more than just a loader for other malware and it can also be used independently as an information stealer to target individuals and enterprises.
  10. RigEK – RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.

Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organizations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” is in third place, with a global impact of 36%.

  1. ↑MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  4. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
  5. Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  6. Draytek Vigor Command Injection (CVE-2020-8515) – A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  7. ↑Command Injection Over HTTP Payload – A command Injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine
  8. ↔ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  9. ↑ Muieblackcat PHP Scanner – Muieblackcat is a vulnerability scanning product. Remote attackers can use Muieblackcat to detect vulnerabilities on a target server.
  10. w00tw00t security scanner – w00tw00t is a vulnerability scanning product. Remote attackers can use w00tw00t to detect vulnerabilities on a target server.

Top mobile malware families

This month xHelper is the most popular mobile malware, followed by Xafecopy and Hiddad.

  1. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
  2. Xafekopy – Xafecopy Trojan is disguised as useful apps like Battery Master. The Trojan secretly loads malicious code onto the device. Once the app is activated, the Xafecopy malware clicks on web pages with Wireless Application Protocol (WAP) billing – a form of mobile payment that charges costs directly to the user’s mobile phone bill.
  3. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS