Check Point’s researchers find sharp increase in attacks using new version of Agent Tesla capable of stealing Wi-Fi passwords, while Dridex banking trojan is most common threat
Our latest Global Threat Index for April 2020 has found several COVID-19 related spam campaigns distributing a new variant of the Agent Tesla remote access trojan, moving it up to 3rd place in the Index, impacting 3% of organizations worldwide.
The new variant of Agent Tesla has been modified to steal Wi-Fi passwords in addition to other information – such as Outlook email credentials – from target PCs. During April, Agent Tesla was distributed as an attachment in several malicious COVID-19 related spam campaigns, which attempt to lure the victim into downloading malicious files under the cover of providing interesting information about the pandemic. One of these campaigns claimed to be sent by the World Health Organization with the subject ‘URGENT INFORMATION LETTER: FIRST HUMAN COVID-19 VACCINE TEST/RESULT UPDATE.’ This highlights how hackers will exploit global news events and public concerns to increase their attack success rates.
The well-known banking trojan Dridex, which entered the Threat Index top ten for the first time in March, had an even greater impact in April. It moved up to 1st place in the index from 3rd last month, impacting 4% of organizations worldwide. XMRig, March’s most prevalent malware, dropped to second place.
Agent Tesla is a very advanced RAT, which can exfiltrate credentials from a range of common software, as well as logging user’s keyboard input and taking screenshots, so its impact can be truly catastrophic. With both Agent Tesla and Dridex in the top three of the threat index, criminals are focusing on stealing users’ personal and business data and credentials so that they can monetize them. So it’s essential that organizations take a proactive and dynamic approach to user education, keeping their staff informed of the latest tools and techniques, particularly as more staff are now working from home.
The research team also warns that “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, though its impact increased to cover 46% of organizations globally. This was closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%, followed by “Command Injection Over HTTP Payload” impacting 40% of organizations worldwide.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
This month Dridex rises to 1st place, impacting 4% of organizations globally, followed by XMRig and Agent Tesla impacting 4% and 3% of organizations worldwide respectively.
- ↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
- ↓ XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild in May 2017.
- ↑ Agent Tesla – Agent Tesla an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- ↓ Jsecoin – Jsecoin is a web-based Crytpo miner designed to perform online mining of Monero cryptocurrency when a user visits a particular webpage. The implaned JavaScript uses a large amount of the end user machines’ computational resources to mine coins, thus impacting the system performance.
- ↓ Trickbot – Trickbo is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purposed campaigns.
- ↑ Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
- ↔ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
- ↑ XHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user, and reinstalls itself when it is uninstalled.
- ↓ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet was once employed as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malware.
- ↓ RigEK – RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript which checks for vulnerable plug-ins and delivers the exploit.
Top exploited vulnerabilities
This month “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 46% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%. In 3rd place the “Command Injection Over HTTP Payload” vulnerability impacted 40% of organizations worldwide, mostly seen in attacks exploiting a zero-day vulnerability in “DrayTek” routers and switch devices (CVE-2020-8515).
- ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulernability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
- ↑ Command Injection Over HTTP Payload – A command injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561)– An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↑ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
- ↑ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
- ↑WordPress portable-phpMyAdmin Plugin Authentication Bypass – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↓ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
- ↑ OpenSSL Padding Oracle Information Disclosure – An information disclosure vulnerability exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session.
- ↑ Joomla Object Injection Remote Command Execution – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
Top malware families- Mobile
This month xHelper is still holding 1st place as the most prevalence Mobile malware, followed by Lotoor and AndroidBauts
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalls itself if it is uninstalled.
- Lotoor – Lotoor is a hacking tool which exploits vulnerabilities on the Android operating system to gain root privileges on compromised mobile devices.
- AndroidBauts – AndroidBauts is an Adware that targets Android users. It exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.