Google Alert – IT News Online – Check Point: Coronavirus-Themed Spam Spreads Emotet Malware in January 2020 (Network Hacking)

IT News Online Staff
2020-02-14

Check Point Research, the Threat Intelligence arm of Check Point Software, has published its latest Global Threat Index for January 2020. The research team reported that Emotet was the leading malware threat for the fourth month running and was being spread during the month using a Coronavirus-themed spam campaign.




The most prominent Coronavirus-themed campaign targeted Japan, distributing Emotet in malicious email attachments feigning to be sent by a Japanese disability welfare service provider. The emails appear to be reporting where the infection is spreading in several Japanese cities, encouraging the victim to open the document which, if opened, attempts to download Emotet on their computer. Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

The January report also identified a malicious Lokibot sample, the 8th most popular malware this month, targeting Indonesia, with emails sent about how people in Indonesia can best protect themselves against the virus. Alongside the malicious Coronavirus spam campaigns, which the company expect’s to become even more widely spread over the coming days, the research shows there has also been a surge in scam websites using Coronavirus in their domain names, allegedly selling vaccinations against the virus.

January also saw an increase in attempts to exploit the “MVPower DVR Remote Code Execution” vulnerability, impacting 45 percent of organizations globally. This rose from being the second most exploited vulnerability in December to the top position this month. If successfully exploited, a remote attacker can exploit this weakness to execute arbitrary code on the targeted machine.

“As with last month, the ‘most wanted’ malicious threats impacting organizations continue to be versatile malware such as Emotet, XMRig and Trickbot, which collectively hit over 30 percent of organizations worldwide,” said Maya Horowitz, Director, Threat Intelligence and Research, Products, Check Point. “Businesses need to ensure their employees are educated about how to identify the types of topical spam emails that are typically used to propagate these threats, and deploy security that actively prevents these threats from infecting their networks and leading to ransomware attacks or data exfiltration.”

January 2020’s Top 10 ‘Most Wanted’ Malware:

(The arrows relate to the change in rank compared to the previous month.)

This month the top three malware families remained as in the previous month, Emotet retains the 1st place impacting 13 percent of organizations globally, followed by XMRig and Trickbot impacting 10 percent and 7 percent of organizations worldwide, respectively.

↔ Emotet: Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently has been used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. It can also spread through phishing spam emails containing malicious attachments or links.

↔ XMRig: XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.

↔ Trickbot: Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

↔ Agent Tesla: Agent Tesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots and exfiltrating credentials belonging to a variety of software on victims’ machines (including Google Chrome, Mozilla Firefox and Microsoft Outlook).

↑ Formbook: Formbook is an info-stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.

↔ Ramnit: Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.

↑ Vidar: Vidar is an info-stealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar has been sold on various online forums and used as a malware dropper that downloads GandCrab ransomware as its secondary payload.

↓ Lokibot: Lokibot is an info-stealer distributed mainly by phishing emails and is used to steal data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

↑ Hawkeye: Hawkeye is an info-stealer malware, designed primarily to steal users’ credentials from infected Windows platforms and deliver them to a C&C server. In the past years, Hawkeye has gained the ability to take screenshots, spread via USB and more in addition to its original functions of email and web browser password stealing and keylogging. Hawkeye is often sold as a MaaS (Malware as a Service).

↔ xHelper: xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalling itself if uninstalled.

January’s Top 3 ‘Most Wanted’ Mobile Malware:

xHelper retains its 1st place in the most prevalent mobile malware, followed by Guerilla and AndroidBauts.

↔ xHelper: A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalling itself if it is uninstalled.

↔ Guerrilla: An Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.

↑ AndroidBauts: Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.

January’s ‘Most Exploited’ vulnerabilities:

The “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 45 percent of organizations globally, followed by “Web Server Exposed Git Repository Information Disclosure” with an impact of 44 percent and the “PHP DIESCAN information disclosure” vulnerability impacting 42 percent.

↑ MVPower DVR Remote Code Execution: A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

↑ Web Server Exposed Git Repository Information Disclosure: An information disclosure vulnerability reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

↑ PHP DIESCAN information disclosure: An information disclosure vulnerability reported in the PHP pages. Successful exploitation can lead to disclosure of sensitive information from the server.

↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561): An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346): An information disclosure vulnerability in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638): A remote code execution vulnerability in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

↓ SQL Injection (several techniques): Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.

↓ Command Injection Over HTTP: A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation allows attacker to execute arbitrary code on the target machine.

↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469): An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

↓ D-Link DSL-2750B Remote Command Execution: A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.

Article source at http://www.itnewsonline.com/news/Check-Point-Coronavirus-Themed-Spam-Spreads-Emotet-Malware-in-January-2020/1134/11/3