January 2020’s Most Wanted Malware: Coronavirus-themed Spam Spreads Emotet Malware

Check Point’s researchers also report an increase in exploits the ‘MVPower DVR Remote Code Execution’ vulnerability, impacting 45% of organisations globally 

The Threat Intelligence arm of Check Point® Software Technologies Ltd. has published its latest Global Threat Index for January 2020. The research team reported that Emotet was the leading malware threat for the fourth month running, and was being spread during the month using a Coronavirus-themed spam campaign.

The emails appear to be reporting where Coronavirus is spreading, or offering more information about the virus, encouraging the victim to open the attachments or click the links which, if opened, attempt to download Emotet on their computer. Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

January also saw an increase in attempts to exploit the ‘MVPower DVR Remote Code Execution’ vulnerability, impacting 45% of organisations globally. This rose from being the third most exploited vulnerability in December to the top position this month. If successfully exploited, a remote attacker can exploit this weakness to execute arbitrary code on the targeted machine.

“As with last month, the ‘most wanted’ malicious threats impacting organizations continue to be versatile malware such as Emotet, XMRig and Trickbot, which collectively hit over 30% of organisations worldwide,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “Businesses need to ensure their employees are educated about how to identify the types of topical spam emails that are typically used to propagate these threats, and deploy security that actively prevents these threats from infecting their networks and leading to ransomware attacks or data exfiltration.”

January 2020’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

Emotet is holding the 1st place impacting 13% of organisations globally, followed by XMRig and Trickbot impacting 10% and 7% of organisations worldwide respectively.

1. ↔ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet used to be primarily a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence, and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
2. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
3. ↔ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customisable malware that can be distributed as part of multi purposed campaigns.

January’s Top 3 ‘Most Wanted’ Mobile Malware:

xHelper retains its 1st place in the most prevalent mobile malware, followed by Guerilla and AndroidBauts.

1. ↔ xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalling itself if it is uninstalled.
2. ↔ Guerrilla – An Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
3. ↑ AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.

January’s ‘Most Exploited’ vulnerabilities:

The “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 45% of organisations globally, followed by “Web Server Exposed Git Repository Information Disclosure” with an impact of 44% and the “PHP DIESCAN information disclosure” vulnerability impacting 42%.

1. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
3. ↑ PHP DIESCAN information disclosure – An information disclosure vulnerability reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.