October 2019’s Most Wanted Malware: the Decline of Cryptominers Continues, as Emotet Botnet Expands Rapidly
November 2019 by Check Point
Check Point Research has published its latest Global Threat Index for October 2019. The research team reported that for the first time in almost two years, cryptomining malware no longer tops the ‘most wanted’ list.
Cryptominers’ usage has been declining steadily since peaking in early 2018. In January and February of 2018, over 50% of organizations globally were impacted by cryptominers, falling to 30% of organizations in January 2019. In October 2019, cryptominers impacted just 11% of organizations worldwide.
October’s most wanted malware was the Emotet botnet, up from 5th place in September and impacting 14% of organizations globally. At the end of the month, Emotet was spreading a Halloween-themed spam campaign. The emails had subjects such as “Happy Halloween” and “Halloween Party Invitation”, which included a malicious attachment with a Halloween-themed file name.
“The impact of cryptominers has declined nearly two-thirds during 2019, as shown by the fact that for the first time in almost two years, a cryptominer is not leading our ‘most wanted’ malware list. However, this month’s most prevalent malware, Emotet, is a severe threat. It is a highly advanced botnet which is used for distributing other types of malware – especially the infamous Ryuk ransomware,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.
“In September we saw that the Emotet botnet was reactivated after being dormant for three months, and it is spreading new campaigns rapidly. So it’s essential that organizations warn employees about the risks of phishing emails, and of opening email attachments or clicking on links that do not come from a trusted source or contact. They should also deploy latest generation anti-malware solutions that can automatically extract suspicious content from emails before they reach end-users.”
October 2019’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
For the first time in almost two years one of the Cryptominers is not the most popular malware. This month Emotet is leading the top malware list with a global impact of 14%. In second place, XMRig impacted 7% of organizations worldwide, closely followed by Trickbot impacting 6% of organizations.
1. ↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was formerly a banking Trojan, and recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
2. ↔ XMRig - XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
3. ↑ Trickbot - Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
October’s Top 3 ‘Most Wanted’ Mobile Malware:
This month Guerrilla is the most prevalence mobile malware, followed by Lotoor and AndroidBauts.
1. Guerrilla - An Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
2. Lotoor - Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
3. AndroidBauts - Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
October’s ‘Most Exploited’ vulnerabilities:
This month SQL injection techniques were the most common exploited vulnerability, impacting 36% of organizations globally. In second place OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability, closely followed by MVPower DVR Remote Code Execution - impacting 33% and 32% of organizations worldwide respectively.
1. ↑ SQL Injection (several techniques) - Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↓ MVPower DVR Remote Code Execution - A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.