The notorious Emotet Trojan is back on peak of the malware graphs, having had a makeover designed to make it more effective at escaping detection.
Check Point’s newly released International Threat Index for December 2020 disclosed that the malware variant bounced straight back from fifth place in November.
It currently accounts for 7% of malware infections internationally after a spam campaign targeted over 100,000 users per day over the holiday period, the security vendor claimed. Emotet is closely followed by fellow modular Trojan Trickbot and info-stealer Formbook, equally on 4%.
“It’s now been updated with new malicious payloads and enhanced detection evasion capacities: the latest version creates a dialogue box, which assists it to prevent detection from users,” explained Check Point.
“The brand new malicious spam campaign uses different delivery techniques to spread Emotet, including embedded links, document attachments, or password-protected Zip files.”
Emotet and Trickbot have been frequently utilized in conjunction by ransomware groups to gain an initial foothold into networks. Attackers can then pick and choose which victims to proceed after with”hands-on-keyboard” multi-staged strikes.
In reality, a new report detailing the activities of this Ryuk version recommended among the best ways for organizations to mitigate the threat would be to prevent initial infection by malware like Emotet.
The focus therefore should be on email security with anti-phishing capabilities and improved end-user awareness training, though defense-in-depth is preferable, such as two-factor authentication and prompt patching to decrease the attack surface farther.
“Emotet was originally developed as banking malware which sneaked to users’ computers to steal sensitive and private information. But it has evolved over the years and is now seen as one of the most costly and destructive malware variants,” said Maya Horowitz, director of threat research & intelligence, goods at Check Point.
“It’s critical that organizations know about the threat Emotet presents and that they have strong security methods in place to protect against a significant breach of the data. They should also offer comprehensive training for workers so that they can spot the kinds of malicious emails that spread Emotet.”
Top malware families
*The arrows relate to the change in rank compared to the previous month.
This Month, Emotet remains the most popular malware with a global impact of 7% of organizations, closely followed by Trickbot and Formbook – which impacted 4% of organizations worldwide, each.
- ↑ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
- ↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
Top exploited vulnerabilities
This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 42% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 42% of organizations worldwide. “Web Server Exposed Git Repository Information Disclosure” is on the third place in the top exploited vulnerabilities list, with a global impact of 41%.
- ↑ MVPower DVR Remote Code Execution – remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- ↓ HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↑ Web Server Exposed Git Repository Information Disclosure – information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
Top mobile malware
This month, Hiddad holds 1st place in the most prevalent mobile malware, followed by xHelper and Triada.
- Hiddad – Hiddad is an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
- Triada – Modular Backdoor for Android which grants superuser privileges to downloaded malware.
The complete list of the top 10 malware families in December can be found on the Check Point Blog.