October 2020’s Most Wanted Malware: Trickbot and Emotet Trojans Are Driving Spike in Ransomware Attacks

Check Point researchers report that Trickbot and Emotet top the Global Threat Index, and are being used for distributing ransomware against hospitals and healthcare providers globally

Our latest Global Threat Index for October 2020 has revealed the Trickbot and Emotet trojans continue to rank as the top two most prevalent malware in October, and that the trojans have been responsible for the sharp increase in ransomware attacks against hospitals and healthcare providers globally.

The FBI and other U.S. government agencies recently issued a warning about ransomware attacks targeting the healthcare sector, warning that the estimated one million-plus Trickbot infections worldwide are being used to download and spread file-encrypting ransomware such as Ryuk.  Ryuk is also distributed via the Emotet trojan, which remains in 1st place in the Top Malware Index for the fourth month in succession.

Check Point threat intelligence data showed that the healthcare sector was the most targeted by ransomware in the U.S. in October, with attacks increasing by 71% compared with September 2020.  Similarly, ransomware attacks against healthcare organizations and hospitals in October increased by 36% in EMEA and 33% in APAC.

Check Point Researchers warn that they have seen ransomware attacks increasing since the start of the coronavirus pandemic, to try and take advantage of security gaps as organizations scrambled to support remote workforces. These have surged alarmingly over the past three months, especially against the healthcare sector, and are driven by pre-existing TrickBot and Emotet infections. Check Point strongly urges healthcare organizations everywhere to be extra vigilant about this risk, and scan for these infections before they can cause real damage by being the gateway to a ransomware attack.

The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 43% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” and “HTTP Headers Remote Code Execution (CVE-2020-13756)” with both impacting  42% of organizations globally.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month, Emotet remains the most popular malware with a global impact of 12% of organizations, followed by Trickbot and Hiddad which both impacted 4% of organizations worldwide.

  1. ↔ Emotet – Emotet is an advanced self-propagating and modular trojan. Emotet was once used as a banking trojan, and recently has been used as a distributer of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↔ Trickbot – Trickbot is a dominant banking trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  1. ↑ Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  1. ↓ Dridex – Dridex is a trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
  1. ↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  1. ↔ Qbot – Qbot is a banking trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
  2. XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  1. ↑ Zloader – Zloader is a descendant of the ubiquitous Zeus banking malware which uses webinjects to steal credentials, passwords and cookies stores in web browsers, and other sensitive information from customers of banks and financial institutions. The malware lets attackers connect to the infected system through a virtual network computing client, so they can make fraudulent transactions from the user’s device.
  1. ↑ XHelper – xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself in case it is uninstalled.
  1. Ramnit – Ramnit is a banking trojan that steals banking credentials, FTP passwords, session cookies and personal data.

 Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 43% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” and “HTTP Headers Remote Code Execution (CVE-2020-13756)” with both impacting 42% of organizations globally.

  1. ↔ MVPower DVR Remote Code Execution – remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  1. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
  1. ↑ Draytek Vigor Command Injection (CVE-2020-8515) – A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  1. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) –An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  1. ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability that exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  1. Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability that has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  1. ↔ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  1. w00tw00t security scanner – w00tw00t is a vulnerability scanning product. Remote attackers can use w00tw00t to detect vulnerabilities on a target server.
  1. ↑ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.

Top Mobile Malwares

This month Hiddad is the most prevalent Mobile malware, followed by xHelper and Lotoor.

  1. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  2. xHelper – xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstall itself in case it is uninstalled.
  3. Lotoor – Lotoor is a hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.