SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
September’s top malware, Emotet botnet strikes again – Check Point
Mon, 14th Oct 2019
FYI, this story is more than a year old

Check Point Research has published its latest Global Threat Index for September 2019.

The Research team is warning organisations that the Emotet Botnet has started spreading several new spam campaigns once again, after a three-month break.

Researchers first reported the notorious botnet taking a break in June 2019, and that the offensive infrastructure had become active again in August.

Some of the Emotet spam campaigns featured emails which contained a link to download a malicious Word file, and some contained the malicious document itself.

When opening the file, it lures the victims to enable the document's macros, which then installs the Emotet malware on the victim's computer.

Emotet was the fifth most prevalent malware globally in September.

“It's not clear why the Emotet botnet was dormant for 3 months, but we can assume that the developers behind it were updating its features and capabilities," says Check Point threat intelligence - research products director Maya Horowitz.

"It's essential that organisations warn employees about the risks of phishing emails, and of opening email attachments or clicking on links that do not come from a trusted source or contact.

She adds, "They should also deploy the latest generation anti-malware solutions that can automatically extract suspicious content from emails before it reaches end-users.

September 2019's Top 3 ‘Most Wanted' Malware:

*The arrows relate to the change in rank compared to the previous month.

This month, the Jsecoin cryptominer leads the top malware list, impacting 8% of organisations worldwide.

XMRig is the second most popular malware, followed by AgentTesla, both with a global impact of 7%.

1.          ↑ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

2.          ↓ XMRig- XMRig is an open source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.

3.          ↑ AgentTesla- AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim's keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

September's Top 3 ‘Most Wanted' Mobile Malware:

This month Lotoor is the most prevalent mobile malware, followed by AndroidBauts and Hiddad.

1.       Lotoor – a hacking tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

2.       AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.

3.       Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

September's ‘Most Exploited' vulnerabilities:

This month, the MVPower DVR Remote Code Execution vulnerability leads the top exploited vulnerabilities list with a global impact of 37%.

The Linux System Files Information Disclosure vulnerability is second, closely followed by the Web Server Exposed Git Repository Information Disclosure, with both impacting 35% of organisations around the world.

1.       ↑ MVPower DVR Remote Code Execution - A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

2.       ↑ Linux System Files Information Disclosure - Linux operating system contains system files with sensitive information. If not properly configured, remote attackers can view the information on such files.

3.       ↑ Web Server Exposed Git Repository Information Disclosure - An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

Check Point's Global Threat Impact Index and its ThreatCloud Map is powered by Check Point's ThreatCloud intelligence.

The ThreatCloud database holds over 250 million addresses analysed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.