November 2018’s Most Wanted Malware: the Thanksgiving Day Botnet Emerges
December 2018 by Check Point
Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign.
This involved sending malspam emails in the guise of Thanksgiving cards, containing email subjects such as happy “Thanksgiving day wishes”, “Thanksgiving wishes” and “the Thanksgiving day congratulation!” These emails contained malicious attachments, often with file names related to Thanksgiving, to spread the botnet and deploy other malware and malicious campaigns. As a result, eth Emotet botnet’s global impact has increased 25% compared to October 2018.
Meanwhile, November was the first anniversary of the Coinhive cryptominer leading the Global Threat Index, which it has done since December 2017. During the past 12 months, Coinhive alone impacted 24% of organizations worldwide, while cryptomining malware had an overall global impact of 38%.
“This month, we have seen a significant increase in efforts to spread the Emotet botnet that have used seasonal messages to encourage clicks,” said Maya Horowitz, Director, Threat Intelligence and Research at Check Point. “Individuals and businesses expect to receive seasonal messages. These have been leveraged to spread the Emotet botnet, as part of the malware’s social engineering methods to lure potential victims into opening malicious emails. Given this capability, along with its persistence and use of evasion techniques to avoid detection, Emotet appears to have had a successful month.”
While Coinhive remains popular, having remained the most prolific malware aimed at organizations for a year, there has been an increase in malware that can be used to deploy additional payloads to infected machines. These forms can maximise returns for attackers due to their multipurpose nature.
November 2018’s Top 3 ‘Most Wanted’:
*The arrows relate to the change in rank compared to the previous month.
2. ↔ Cryptoloot - Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. ↑ Andromeda - Modular bot used mainly as a backdoor to deliver additional malware to infected hosts, but can be modified to create different types of botnets.
Triada, the modular backdoor for Android has retained first place in the top mobile malware list. Hiddad has climbed to second place, replacing Android banking Trojan and info-stealer Lokibot, which has fallen to third place.
November’s Top 3 ‘Most Wanted’ mobile malware:
1. Triada - Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
2. Hiddad - Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
3. Lokibot - Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.
Check Point researchers also analyzed the most exploited cyber vulnerabilities. Once again, CVE-2017-7269 remains in first place of the top exploited vulnerabilities list, with a global impact of 48% of organizations. OpenSSL TLS DTLS Heartbeat Information Disclosure keeps its second place with a global impact of 44%. CVE-2016-6309, a vulnerability in the tls_get_message_body function of OpenSSL is in third place, impacting 42% of organizations.
November’s Top 3 ‘Most Exploited’ vulnerabilities:
1. ↔ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. This is mainly due to a buffer overflow vulnerability caused by improper validation of a long header in HTTP request.
1. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
2. ↑ OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309) - A use-after-free vulnerability has been reported in the tls_get_message_body function of OpenSSL. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted message to the vulnerable server. Successful exploitation allows the attacker to execute arbitrary code on the system.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.