April 2021’s Most Wanted Malware: Dridex Remains in Top Position Amidst Global Surge in Ransomware Attacks
Check Point Research reports that the Dridex trojan, which is often used in the initial stages of ransomware attacks, is the most prevalent malware for the second month running
Our latest Global Threat Index for April 2021 has revealed that for the first time, AgentTesla has ranked second in the Index, while the established Dridex trojan is still the most prevalent malware, having risen to the top spot in March after being seventh in February.
This month, Dridex, a Trojan that targets the Windows platform, spread via QuickBooks Malspam Campaign. The phishing emails used QuickBooks’s branding and were trying to lure the user with fake payment notifications and invoices. The email content asked to download a malicious Microsoft Excel attachment that could cause the system to be infected with Dridex. This malware is distributed via malicious email spam attachments, and is often used as the initial infection stage in ransomware operations where hackers will encrypt an organization’s data and demand a ransom in order to decrypt it. Increasingly, these hackers are using double extortion methods, where they will steal sensitive data from an organization and threaten to release it publicly unless a payment is made. CPR reported in March that ransomware attacks had seen a 57% increase in the beginning of 2021, but this trend has continued to spike and has completed a 107% increase from the equivalent period last year. Most recently, Colonial Pipeline, a major US fuel company, was the victim of such an attack and in 2020, it’s estimated that ransomware cost businesses worldwide around $20 billion – a figure that’s nearly 75% higher than in 2019.
For the first time, AgentTesla ranked in 2nd place in the top malware list. AgentTesla is an advanced RAT (remote access Trojan) that has been active since 2014 and functions as a keylogger and password stealer. This RAT can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials entered for a variety of software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). This month there is an increase in AgentTesla campaigns, which spread via malspam. The email content is asking to download a file (it can be any file type) that could cause the system to be infected with Agent Tesla.
CPR researchers say that while there is a huge increase in ransomware attacks worldwide, it is no surprise that this month’s top malware is related to the trend. Organizations must ensure they have robust security systems in place to prevent their networks being compromised and prevent risks of ransomware. Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails that spread Dridex, and other malware, as this is how many ransomware exploits start.
CPR also revealed that “Web Server Exposed Git Repository Information Disclosure” is the most common exploited vulnerability, impacting 46% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 45.5% of organizations worldwide. “MVPower DVR Remote Code Execution” ranks in third place in the top exploited vulnerabilities list, with a global impact of 44%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
This Month, Dridex is still the most popular malware with a global impact of 15% of organizations, followed by Agent Tesla and Trickbot impacting 12% and 8% of organizations worldwide respectively.
- ↔ Dridex – Dridex is a Trojan that targets the Windows platform, distributed mostly via malicious spam attachments. Dridex contacts a remote server, sends information about the infected system and can also download and execute arbitrary modules on command. Dridex infections often serve as initial footholds in company-wide Ransomware attacks.
- ↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine, including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client.
- ↑ Trickbot – Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
- ↑ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
- ↔ Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
- ↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
- ↑ Nanocore – NanoCore is a Remote Access Trojan, which feature base plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
- ↑ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
- ↑ Ramnit – Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
- ↑ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
*The top malware per country (Access program) is attached.
Top exploited vulnerabilities
This month “Web Server Exposed Git Repository Information Disclosure” is the most common exploited vulnerability, impacting 46% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 45.5% of organizations worldwide. “MVPower DVR Remote Code Execution” is in third place in the top exploited vulnerabilities list, with a global impact of 44%.
- ↑ Web Server Exposed Git Repository Information Disclosure – information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- ↓ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↓ MVPower DVR Remote Code Execution – remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- ↓ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638,CVE-2017-5638,CVE-2019-0230) – remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
- ↓ Command Injection Over HTTP Payload (CVE-2013-6719,CVE-2013-6720) – A command Injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ SQL Injection (different techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
- ↑ Linux System Files Information Disclosure (CVE-2015-2746,CVE-2018-10093,CVE-2018-3948,CVE-2018-3948) – Linux operating system contains system files with sensitive information. If not properly configured, remote attackers can view the information on such files.
- ↑ NoneCMS ThinkPHP Remote Code Execution – A remote code execution vulnerability exists in NoneCMS ThinkPHP framework. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
Top Mobile Malwares
This month xHelper takes first place in the most prevalent Mobile malware, followed by Triada and Hiddad.
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and can reinstall itself in case it was uninstalled.
- Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware.
- Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.