Coinhive has once again led Check Point’s Global Threat Index for the 15th consecutive month, despite the announcement that its services have been shut down from March 8th 2019.
Researchers have also discovered several widespread campaigns distributing the GandCrab ransomware that have targeted Japan, Germany, Canada and Australia. These nations are just part of the targeted countries. These operations have emerged over the last two months, and Check Point’s researchers noticed a new version of the ransomware being distributed in one of the latest campaigns.
The new version, Gandcrab 5.2, includes most of the features of the last, but with a change in the encryption method that causes the decryption tool for previous versions of the ransomware to be ineffective.
In February, the most prevalent malware variants were cryptominers. Coinhive remains the top malware, impacting 10% of organizations worldwide. This follows a downward trend in Coinhive’s global impact, from 18% in October 2018 to 12% in January 2019 and with a 2% drop this month. This decrease has been caused by the rising cost of mining along with the decline in Monero’s value.
Cryptoloot rose to second place in February replacing XMRig, and was followed by Emotet, an advanced, self-propagate and modular Trojan, which replaced Jsecoin in third place in the index.
“As we saw in January, threat actors continue to exploit new ways to distribute malware, while creating new and more dangerous variants of existing malware forms. GandCrab’s new version proves once again that although there are malware families that stay in the top malware list for several months and seems to be static, they are actually evolving and being developed to evade detection. To effectively combat this, our researchers continuously trace them based on their malware family DNA – so it’s essential that organizations keep their security solutions fully updated,” said Maya Horowitz, Threat Intelligence and Research Director at Check Point.
February 2019: Most wanted malware
2. Cryptoloot – Crypto-Miner that uses the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. It is a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
3. Emotet – Advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
This month Lotoor is the most prevalent mobile malware, replacing Hiddad at first place in the top mobile malware list. Triada remains in third place.
February 2019: Most wanted mobile malware
1. Lotoor – Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
2. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
3. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
February 2019: Most exploited vulnerabilities
1. Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. Web servers PHPMyAdmin Misconfiguration Code Injection – A code injection vulnerability has been reported in PHPMyAdmin. The vulnerability is due to PHPMyAdmin misconfiguration. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request to the target.