February 2021’s Most Wanted Malware: Trickbot Takes Over Following Emotet Shutdown
Check Point Research reports that following the international police operation that took control of Emotet in January, Trickbot has become the new top global threat used by cybercriminals
Our latest Global Threat Index for February 2021 has revealed that the Trickbot trojan has topped the Index for the first time, rising from third position in January.
Following the takedown of the Emotet botnet in January, Check Point researchers report that cyber-criminal groups continue to utilize other top threats, with malware such as Trickbot using new techniques for their malicious activities. During February, Trickbot was being distributed via a malicious spam campaign designed to trick users in the legal and insurance sectors into downloading a .zip archive with a malicious JavaScript file to their PCs. Once this file is opened, it attempts to download a further malicious payload from a remote server.
Trickbot was the 4th most prevalent malware globally during 2020, impacting 8% of organizations. It played a key role in one of the highest-profile and expensive cyberattacks of 2020, which hit Universal Health Services (UHS), a leading healthcare provider in the U.S. UHS was hit by Ryuk ransomware, and stated the attack cost it $67 million in lost revenues and costs. Trickbot was used by the attackers to detect and harvest data from UHS’ systems, and then to deliver the ransomware payload.
Check Point Researchers say criminals will continue using the existing threats and tools they have available, and Trickbot is popular because of its versatility and its track record of success in previous attacks. Even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have robust security systems in place to prevent their networks being compromised and minimise risks. Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails which spread Trickbot and other malware.
Check Point Research also warns that “Web Server Exposed Git Repository Information Disclosure” is the most common exploited vulnerability, impacting 48% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 46% of organizations worldwide. “MVPower DVR Remote Code Execution” is third place in the top exploited vulnerabilities list, with a global impact of 45%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
This Month, Trickbot ranks as most popular malware impacting 3% of organizations globally, closely followed by XMRig and Qbot which also impacted 3% of organizations worldwide respectively.
- ↑ Trickbot – Trickbot is a dominant botnet and banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purpose campaigns.
- ↑ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
- ↑ Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
- ↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
- ↓ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
- ↑ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
- ↓ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
- ↑ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
- ↔ RigEK– RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
- ↑ Floxif – Floxif is an info stealer and backdoor, designed for Windows OS. It was used in 2017 as part of a large scale campaign in which attackers inserted Floxif (and Nyetya) into the free version of CCleaner (a cleanup utility) thus infecting more than 2 million users, amongst them large tech companies such as Google, Microsoft, Cisco, and Intel.
Top exploited vulnerabilities
This month “Web Server Exposed Git Repository Information Disclosure” is the most common exploited vulnerability, impacting 48% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 46% of organizations worldwide. “MVPower DVR Remote Code Execution” is third place in the top exploited vulnerabilities list, with a global impact of 45%.
- ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability that has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- ↔ HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↓ MVPower DVR Remote Code Execution – A remote code execution vulnerability which exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- ↓ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↓ Command Injection Over HTTP Payload (CVE-2013-6719,CVE-2013-6720) – A command Injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ SQL Injection (different techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
- ↔ Draytek Vigor Command Injection (CVE-2020-8515) – A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↑ PHP DIESCAN information disclosure (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass – An information disclosure vulnerability that has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
- ↔ PHP php-cgi query string parameter code execution (CVE-2012-1823,CVE-2012-2311,CVE-2012-2335,CVE-2012-2336,CVE-2013-4878) – A remote code execution vulnerability that has been reported in PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
Top mobile malwares
This month, Hiddad holds 1st place in the most prevalent mobile malware, followed by xHelper and FurBall.
- Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
- FurBall – FurBall is an Android MRAT (Mobile Remote Access Trojan) which is deployed by APT-C-50, an Iranian APT group connected to the Iranian government. This malware was used in multiple campaigns dating back to 2017 and is still active today. FurBall’s capabilities includes stealing SMS messages, call logs, surround recording, call recording, media files collection, location tracking, and more.