March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance

Check Point Research reveals that Emotet remains the number one most prevalent malware, while Agent Tesla moves from fourth to second place after several mal-spam campaigns

Our latest Global Threat Index for March 2022 reveals that Emotet is continuing its reign as the most popular malware, impacting 10% of organizations worldwide, double that of February. Emotet is an advanced, self-propagating and modular trojan that uses multiple methods for maintaining persistence and evasion techniques to avoid detection. Since its return in November last year and the recent news that Trickbot has shut down, Emotet has been strengthening its position as the most prevalent malware. This was solidified even further this month as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject “buona pasqua, happy easter” yet attached to the email was a malicious XLS file to deliver Emotet.

This month, Agent Tesla, the advanced remote access trojan (RAT) functioning as a keylogger and information stealer, is the second most prevalent malware, after appearing fourth in last month’s index. Agent Tesla’s rise is due to several new mal-spam campaigns delivering the RAT via malicious xlsx/pdf files worldwide. Some of these campaigns have leveraged the Russia/Ukraine war to lure victims.

Technology has advanced in recent years to such a point where cybercriminals are increasingly having to rely on human trust in order to get through to a corporate network. By theming their phishing emails around seasonal holidays such as Easter, they are able to exploit the buzz of the festivities and lure victims into downloading malicious attachments that contain malwares such as Emotet. In the run up to the Easter weekend, we expect to see more of these scams and urge users to pay close attention, even if the email looks like it’s from a reputable source. Easter isn’t the only public holiday and cybercriminals will continue to deploy the same tactics to inflict harm. This month we also observed Apache Log4j becoming the number one most exploited vulnerability again. Even after all the talk about this vulnerability at the end of last year, it is still causing harm months after the initial detection. Organizations need to take immediate action to prevent attacks from happening.

We also revealed this month that the Education/Research is still the number one most attacked industry globally, followed by Government/Military and Internet Service Providers/Managed Service Providers (ISP/MSP). “Web Server Exposed Git Repository Information Disclosure” is now the second most commonly exploited vulnerability, impacting 26% of organizations worldwide, while “Apache Log4j Remote Code Execution” takes the top spot, impacting 33% of organizations. “HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756)” keeps a hold of third place with a global impact of 26%.

Examples of Easter-themed phishing emails

Figure 1 Example of Easter Phishing Email

Figure 2 Example of an Easter Phishing Email sent to various countries

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month, Emotet is still the most popular malware with a global impact of 10% of organizations worldwide, followed by Agent Tesla and XMRig both impacting 2% of organizations each.

1. ↔ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
2. ↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
3. ↑ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild May 2017.
4. ↓ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
5. ↑ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
6. ↑ Mirai – The Mirai botnet first surfaced in September 2016. Mirai is an infamous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distributed Denial of Service (DDoS) attacks.
7. ↑ Phorpiex – Phorpiex is a botnet (aka Trik) that has been around since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
8. ↑ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to spam emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
9. ↑ Tofsee – Tofsee is a Trickler that targets the Windows platform. This malware attempts to download and execute additional malicious files on target systems. It may download and display an image file to a user in an effort to hide its true purpose.
10. ↑ Nanocore- Nanocore is a RAT, that was first observed in the wild in 2013 and targets Windows operating system users. All versions of the RAT feature base plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.

Top Attacked Industries Globally

This month Education/Research is the number one most attacked industry globally, followed by Government/Military and ISP/MSP.

1. Education/Research
2. Government/Military
3. ISP/MSP

Top Exploited Vulnerabilities

This month “Apache Log4j Remote Code Execution” is the most commonly exploited vulnerability, impacting 33% of organizations globally, followed by “Web Server Exposed Git Repository Information Disclosure” which dropped from first place to second place and impacts 26% of organizations worldwide. “HTTP Headers Remote Code Execution” is still in third place in the top exploited vulnerabilities list, with a global impact of 26%.

1. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
2. ↓ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
3. ↔HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
4. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260)– There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
5. ↓ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
6. ↑ D-LINK Multiple Products Remote Code Execution (CVE-2015-2051) – A remote code execution vulnerability has been reported in multiple D-Link products. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
7. ↓ PHP Easter Egg Information Disclosure – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
8. ↔ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
9. ↑ Linux System Files Information Disclosure (CVE-2018-3948,CVE-2018-3948,CVE-2022-23119) – Linux operating system contains system files with sensitive information. If not properly configured, remote attackers can view the information on such files.
10. ↔ PHPUnit Command Injection (CVE-2017-9841) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.

Top Mobile Malwares

This month AlienBot is the most prevalent mobile malware, followed by xHelper and FluBot.

1. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
2. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself if uninstalled.
3. FluBot– FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading contact lists, as well as sending SMS messages to other phone numbers.