March 2021’s Most Wanted Malware: IcedID Banking Trojan Enters Top 10 Following Covid-Related Campaign

Check Point Research reports that IcedID has entered the global malware index for the first time, taking second place, after exploiting the Covid-19 pandemic to lure new victims

Check Point Research’s (CPR) latest Global Threat Index for March 2021 has revealed that the banking trojan IcedID has entered the Index for the first time, taking second place, while the established Dridex trojan was the most prevalent malware during March, up from seventh position in February.

First seen in 2017, IcedID has been spreading rapidly in March via several spam campaigns, impacting 11% of organizations globally. One widespread campaign used a COVID-19 theme to entice new victims into opening malicious email attachments. The majority of these attachments are Microsoft Word documents with a malicious macro used to insert an installer for IcedID. Once installed, the trojan then attempts to steal account details, payment credentials, and other sensitive information from users’ PCs.  IcedID also uses other malware to proliferate, and has been used as the initial infection stage in ransomware operations.

The fact that IcedID has recently been used widely despite first being discovered nearly four years ago shows that cyber-criminals are continuing to adapt their techniques to exploit organizations, using the pandemic as a guise.  IcedID is a particularly evasive trojan that uses a range of techniques to steal financial data, so organizations must ensure they have robust security systems in place to prevent their networks being compromised and minimize risks.

Dridex tops the index for March, impacting 16% of organizations worldwide. Dridex is reportedly downloaded via a spam email attachment, and works by contacting a remote server and sending information about the infected system. It can also download and execute new malicious code received from remote servers.

Check Point Research also warns that “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 45% of organizations globally, followed by “MVPower DVR Remote Code Execution” which impact 44% of organizations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is on the third place in the top exploited vulnerabilities list, with a global impact of 44%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This Month, Dridex is the most popular malware with a global impact of 16% of organizations, followed by IcedID and Lokibot impacting 11% and 9% of organizations worldwide respectively.

  1. ↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
  2. IcedID – IcedID is a banking Trojan spread by mail spam campaigns and uses evasive techniques like process injection and steganography to steal user financial data.
  3. ↑ Lokibot – Lokibot is an Info Stealer distributed mainly by phishing emails, and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
  4. ↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
  5. Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
  6. Trickbot – Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  7. XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild in May 2017.
  8. Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  9. ↑ Ursnif – Ursnif is a Trojan that targets the Windows platform and steals information and credentials for banking and email accounts. Moreover, it downloads and executes files on the infected system.
  10. Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.

Top exploited vulnerabilities

This month “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 45% of organizations globally, followed by “MVPower DVR Remote Code Execution” which impacts 44% of organizations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is in third place with a global impact of 44%.

  1. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
  2. ↑ MVPower DVR Remote Code Execution – remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  3. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  4. Web Server Exposed Git Repository Information Disclosure – information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  5. ↔ Command Injection Over HTTP Payload (CVE-2013-6719,CVE-2013-6720) – command Injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  6. ↑ Command Injection Over HTTP – command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  7. SQL Injection (different techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  8. ↑ PHP php-cgi query string parameter code execution (CVE-2012-1823,CVE-2012-2311,CVE-2012-2335,CVE-2012-2336,CVE-2013-4878) – remote code execution vulnerability has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation would allow an attacker to execute arbitrary code on the target.
  9. ↑ Apache Struts2 Content-Type Remote Code Execution – remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
  10. Draytek Vigor Command Injection (CVE-2020-8515) – command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Top Mobile Malware

This month Hiddad took first place in the most prevalent mobile malwares, followed by xHelper and FurBall.

  1. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  2. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display ads. The application is capable of hiding itself from the user, and reinstall itself after being uninstalled.
  3. FurBall – FurBall is an Android MRAT (Mobile Remote Access Trojan) which is deployed by APT-C-50, an Iranian APT group connected to the Iranian government. This malware was used in multiple campaigns dating back to 2017, and is still active today. Among FurBall’s capabilities are; stealing SMS messages and mobile call logs, recording calls and surroundings, collecting media files, tracking locations, and more.