June 2019’s Most Wanted Malware: Emotet Takes a Break, but Possibly Not for Long
July 2019 by Check Point
Check Point’s researchers confirm the Emotet botnet infrastructure has been inactive for most of June, but may return with new capabilities
Check Point Research, the Threat Intelligence arm of Check Point, has published its latest Global Threat Index for June 2019. The research team confirms that Emotet (the largest Botnet currently in operation) has been down, with no new campaigns seen during most of June. Emotet has featured in the top 5 malware globally during the first six months of 2019, and has been distributed in massive spam campaigns.
Check Point’s researchers believe that Emotet’s infrastructure could be offline for maintenance and upgrade operations, and that as soon as its servers are up and running again, Emotet will be reactivated with new, enhanced threat capabilities.
“Emotet has been around as a banking Trojan since 2014. Since 2018 however we have seen it being used as a botnet in major malspam campaigns and used to distribute other malwares. Even though its infrastructure has been inactive for much of June 2019, it was still #5 in our global malware index, which shows just how much it is being used – and it’s likely that it will re-emerge with new features,” said Maya Horowitz, Director Threat Intelligence & Research at Check Point.
“Once Emotet is installed on a victim’s machine, it can use it to spread itself via further spam campaigns, download other malwares (like Trickbot, which in turn infects the entire hosting network with the infamous Ryuk Ransomware), and spread to further assets in the network.”
June 2019’s Top 3 ‘Most Wanted’ Malware: *The arrows relate to the change in rank compared to the previous month. The three most prominent Cryptominers still leading the list, this month XMRig was the most prominent malware impacting 4% of organizations worldwide, closely followed by Jsecoin and Cryptoloot, both impacting 3% of organizations globally.
1. ↑ XMRig - Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
3. ↓ Cryptoloot - Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and releasing new currency. It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.
June’s Top 3 ‘Most Wanted’ Mobile Malware: Lotoor keeps leading the mobile top malware list, followed by Triada and Ztorg - a new malware in the top list. 1. Lotoor- Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
2. Triada- Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
3. Ztorg- Trojans in the Ztorg family obtain escalated privileges on Android devices and install themselves in the system directory. The malware is able to install any other application on the device.
June’s ‘Most Exploited’ vulnerabilities: In June we saw SQL Injections techniques keep leading the top exploits vulnerabilities list with a global impact of 52%. OpenSSL TLS DTLS Heartbeat Information Disclosure ranked second impacting 43% of organization globally, closely followed by CVE-2015-8562 with a global impact of 41% of organizations worldwide.
1. ↑ SQL Injection (several techniques)- Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↑ Joomla Object Injection Remote Command Execution (CVE-2015-8562)- A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.