November 2018: Most wanted malware exposed

Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign.

This involved sending malspam emails in the guise of Thanksgiving cards, containing email subjects such as happy “Thanksgiving day wishes”, “Thanksgiving wishes” and “the Thanksgiving day congratulation!” These emails contained malicious attachments, often with file names related to Thanksgiving, to spread the botnet and deploy other malware and malicious campaigns. As a result, eth Emotet botnet’s global impact has increased 25% compared to October 2018.

Meanwhile, November was the first anniversary of the Coinhive cryptominer leading the Global Threat Index, which it has done since December 2017. During the past 12 months, Coinhive alone impacted 24% of organizations worldwide, while cryptomining malware had an overall global impact of 38%.

“This month, we have seen a significant increase in efforts to spread the Emotet botnet that have used seasonal messages to encourage clicks,” said Maya Horowitz, Director, Threat Intelligence and Research at Check Point. “Individuals and businesses expect to receive seasonal messages. These have been leveraged to spread the Emotet botnet, as part of the malware’s social engineering methods to lure potential victims into opening malicious emails. Given this capability, along with its persistence and use of evasion techniques to avoid detection, Emotet appears to have had a successful month.”

While Coinhive remains popular, having remained the most prolific malware aimed at organizations for a year, there has been an increase in malware that can be used to deploy additional payloads to infected machines. These forms can maximise returns for attackers due to their multipurpose nature.

Top 3 most wanted November 2018

• Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses great computational resources of the end users to mine coins and might crash the system.
• Cryptoloot – Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
• Andromeda – Modular bot used mainly as a backdoor to deliver additional malware to infected hosts, but can be modified to create different types of botnets.

Top 3 most wanted mobile malware November 2018

• Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
• Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
• Lokibot – Android banking Trojan and info-stealer, which can also turn into a ransomware that locks the phone in case its admin privileges are removed.

Check Point researchers also analyzed the most exploited cyber vulnerabilities. Once again, CVE-2017-7269 remains in first place of the top exploited vulnerabilities list, with a global impact of 48% of organizations. OpenSSL TLS DTLS Heartbeat Information Disclosure keeps its second place with a global impact of 44%. CVE-2016-6309, a vulnerability in the tls_get_message_body function of OpenSSL is in third place, impacting 42% of organizations.