Check Point researchers confirm Trojan Trickbot return after two years of absence on the list of the 10 most common malicious software
Check Point Research, its research department Check Point Software Technologies Ltd., a leading provider of cyber security solutions worldwide, has released the latest World Threat Index for April 2019. As revealed, the Trickbot Bank Trojan returned to the top ten in the list for the first time in almost two years.
Multi-purpose banking trojans, such as Trickbot, are popular options for cybercriminals who seek financial gain.
The campaigns that use Trickbot rose sharply in April, with several of them being implemented during the period when individual income tax returns were submitted to the US.
Through the spam campaigns that took place, Excel files were distributed and downloaded Trickbot to the victims' computers. The Trojan then spread across networks, collected bank details, and eventually extracted tax documents for illegal use.
While the three most common malware in April were cryptominers, the remaining seven, of the top ten, were multi-purpose trojans. This fact highlights the changes in the practices that criminals use to maximize their economic benefits from campaigns, and the closure of several popular cryptomining services and the decline in the value of various cryptanisms in recent years.
Maya Horowitz, Check Point's Information and Threat Director, commented: "This month, both Trickbot and Emotet were listed in the list of ten most common malicious software.
This is particularly worrying, as these two botnets are currently used not only to intercept personal user data but also to spread the Ryuk ransomware. The notorious Ryuk targets assets such as databases and backup servers, requiring a ransom of over $ 1 million.
As these malicious programs are constantly changing, it is vital to have a strong line of defense with advanced threat prevention features. "
3 Most Popular Malware Threats In April 2019:
* The arrows indicate the change in rank relative to the previous month.
- ↑ Cryptoloot - Encryption software that uses the power of the central processing unit (CPU) or graphics processor (GPU) and the victim's existing resources for cryptomining - adding transactions to the blockchain and generating new currencies. It competes with Coinhive, trying to oust it by demanding a lower percentage of revenue from the sites.
- ↑ XMRig - XMRig is an open source CPU mining software for the production process of Monero cryptography that was first released in May 2017.
In April, Triada was the most widespread malware for mobile, replacing Hiddad with the top malware on the list. Lotoor remained in second place with Hiddad falling to third.
3 most widespread malware malware for mobile devices in April:
- Triada - Modular backdoor for Android that grants super user rights to downloaded malware, helping it integrate into system processes. Triada has also been observed to mislead URLs loaded into the browser.
- Lotoor- A hacker tool that exploits vulnerabilities in the Android operating system to gain full root access to infringing mobile devices.
- Hiddad - Malicious Android software that repackages legitimate applications and then makes them available in a third-party store. Its main function is to show ads, however, it is also capable of accessing important security features embedded in the operating system, allowing an attacker to gain sensitive user data.
The researchers of Check Point also analyzed the cyber-vulnerabilities that are most often exploited. OpenSSL TLS DTLS Heartbeat Information Disclosure is at the top, affecting 44% of organizations worldwide. For the first time after 12 months the vulnerability CVE-2017-7269 was in second place, affecting 40% of organizations worldwide while the third place is occupied by vulnerability CVE-2017-5638 affecting 38% of organizations worldwide.
3 vulnerabilities "most commonly exploited" for April:
- ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - A vulnerability to information disclosure that exists in OpenSSL. Vulnerability is due to an error handling TLS / DTLS heartbeat packets. An attacker could exploit this vulnerability to reveal the contents of a logged-in client or server memory.
- ↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) - By sending a fabricated request through a network to Microsoft Windows Server 2003 R2 via Microsoft Internet Information Services 6.0, a remote attacker could execute third-party code or cause denial of service to the target server. This is mainly due to a buffer overflow vulnerability caused by incorrect validation of a large header in an HTTP request.
- ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) - There is a remote code execution vulnerability in Apache Struts2 that uses the Jakarta Multiple Node Developer. An attacker could exploit this vulnerability by sending an invalid type of content as part of a request for file Successful exploitation of the vulnerability could lead to arbitrary code execution in the affected system.
* The full list of 10's most widespread malware threats in Greece for April is:
Cryptoloot - Cryptocurrency software that uses the power of the central processing unit (CPU) or graphics processor (GPU) and the victim's existing resources to generate cryptocurrencies - adding transactions to the blockchain and generating new currencies. It competes with Coinhive.
Pony - Pony is a malicious Info Stealer, designed primarily to extract user data from infected Windows-based platforms and is also known as Pony Stealer, Pony Loader, FareIT and many more. Pony was created by 2011 and by 2013 its source code was released publicly, allowing decentralized versions to evolve. In addition to the Stealer feature, Pony features allow attackers to monitor the activities of the user's system and network, download and install additional malware, and even infect additional computers by creating a network of bots. Because of its nature, Pony has been exploited by many attackers.
Lokibot - Lokibot is a spyware software that spreads primarily through phishing email and is used to intercept data such as e-mail credentials, as well as passwords to electronic cryptographic wallets and FTP servers.
Hawkeye - Hawkeye is a malicious Info Stealer, designed primarily to extract user data from infected Windows-based platforms. Over the past few months, Hawkeye has improved to include keylogging capabilities, in addition to email and web browser theft. It is often marketed as MaaS (Malware as a Service) through various infection chain techniques.
agent Tesla - AgentTesla is a sophisticated RAT that functions as a keylogger and password-stealing software infecting computers from 2014. AgentTesla is able to monitor and collect victim's keyboard and system clipboard entries, take screenshots and remove credentials from software installed on the victim's machine (including Google Chrome, Mozilla Firefox, and email client Microsoft Outlook). AgentTesla is sold as a legal RAT with interested parties paying 15 - 69 dollars for a user license.
Emotet - Advanced modular Trojan that replicates itself. Emotet once operated as a Trojan horse bank account data and was recently used to distribute other malicious software or malware propagation campaigns. It uses many avoidance methods and techniques to stay in the system and avoid detection. Additionally, it can spread through unwanted phishing emails that contain attachments or links to malicious content.
Dorkbot - IRC-based Worm designed to allow remote code execution by its operator, as well as additional malware on the infected system, with the main purpose of intercepting sensitive information and performing denial-of-service attacks.
XMRig - XMRig is an open-source mining CPU software used for the Monero Cryptography process and was first released in May in 2017.
Family of Malware
The World Threat Impact Directory and Check Point's ThreatCloud Map are based on Check Point's ThreatCloud intelligence, the largest anti-cyber crime network, which provides data on threats and trends in attacks, utilizing a global network threat detectors.
The ThreatCloud database includes more than 250 million addresses analyzed to detect bot, more than 11 million signatures of malware and more than 5,5 millions of infected sites, while recognizing millions of types of malware every day.
Check Point's Threat Prevention Resources are available on the site: