January 2020’s Most Wanted Malware: Coronavirus-themed spam spreads malicious Emotet malware
Check Point’s researchers also report an increase in exploits of the ‘MVPower DVR Remote Code Execution’ vulnerability, impacting 45% of organizations globally
While the threat of Coronavirus grabs the attention of the world, our latest Global Threat Index for January 2020 shows cyber-criminals are also exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus.
The most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet – the leading malware type for the 4th month running – in malicious email attachments feigning to be sent by a Japanese disability welfare service provider. The emails appear to be reporting where the infection is spreading in several Japanese cities, encouraging the victim to open the document which, if opened, attempts to download Emotet on their computer.
The January report also identified a malicious Lokibot sample – the 8th most popular malware this month – targeting Indonesia, with emails sent about how people in Indonesia can best protect themselves against the virus. Alongside the malicious Coronavirus spam campaigns, which we expect to become even more widely spread over the coming days, our research shows there has also been a surge in scam websites using Coronavirus in their domain names, allegedly selling vaccinations against the virus.
January also saw an increase in attempts to exploit the “MVPower DVR Remote Code Execution” vulnerability, impacting 45% of organizations globally. This rose from being 2nd most exploited vulnerability in December to the top position this month. The “Web Server Git Repository Information Disclosure” follows closely behind, with a global impact of 44%, rising from 3rd position to 2nd position this month.
Over the past four months, the top threats have remained the same versatile, multi-purpose malware families, including Emotet, XMRig, and Trickbot. Collectively, these top three malware types impact 30% of organizations globally. These attacks can be extremely damaging, leaving organizations vulnerable to data theft, extortion or operational disruption. Employees should be educated about the risks of opening, downloading or clicking on external documents that do not come from trusted sources or contact.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
This month the top three malware families remained as in the previous month – Emotet retains the 1st place impacting 13% of organizations globally, followed by XMRig and Trickbot impacting 10% and 7% of organizations worldwide respectively.
- ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently has been used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. It can also spread through phishing spam emails containing malicious attachments or links.
- ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
- ↔ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
- ↔ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to a variety of software on victims’ machines (including Google Chrome, Mozilla Firefox and Microsoft Outlook).
- ↑ Formbook – Formbook is an infostealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
- ↔ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies, and personal data.
- ↑ Vidar – Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar has been sold on various online forums and used as a malware dropper that downloads GandCrab ransomware as its secondary payload.
- ↓ Lokibot – Lokibot is an Infostealer distributed mainly by phishing emails, and is used to steal data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.
- ↑ Hawkeye – Hawkeye is an infostealer malware, designed primarily to steal users’ credentials from infected Windows platforms and deliver them to a C&C server. In the past years, Hawkeye has gained the ability to take screenshots, spread via USB and more in addition to its original functions of email and web browser password stealing and keylogging. Hawkeye is often sold as a MaaS (Malware as a Service).
- ↔ xHelper – xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalling itself if uninstalled.
Top exploited vulnerabilities
This month “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 45% of organizations globally, closely followed by “Web Server Exposed Git Repository Information Disclosure” with a global impact of 44%. In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 42% of organizations worldwide.
- ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- ↑ PHP DIESCAN information disclosure – An information disclosure vulnerability reported in the PHP pages. Successful exploitation can lead to disclosure of sensitive information from the server.
- ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
- ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
- ↓ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
- ↓ Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation allows attacker to execute arbitrary code on the target machine.
- ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↓ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
Top malware families – Mobile
This month xHelper retains its 1st place in the most prevalent mobile malware, followed by Guerilla and AndroidBauts.
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user, and reinstalling itself if uninstalled.
- Guerrilla – An Android Trojan found embedded in multiple legitimate apps that is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
- AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.