September 2019’s Most Wanted Malware: Emotet Botnet Starts Spreading Spam Campaigns Again After a Three-Month Silence - Check Point Software (2024)

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for September 2019. The Research team is warning organizations that the Emotet Botnet has started spreading several new spam campaigns once again, after a three-month break. Researchers first reported the notorious botnet taking a break in June 2019, and that the offensive infrastructure had become active again in August.

Some of the Emotet spam campaigns featured emails which contained a link to download a malicious Word file, and some contained the malicious document itself. When opening the file, it lures the victims to enable the document’s macros, which then installs the Emotet malware on the victim’s computer. Emotet was the 5th most prevalent malware globally in September.

“It’s not clear why the Emotet botnet was dormant for 3 months, but we can assume that the developers behind it were updating its features and capabilities. It’s essential that organizations warn employees about the risks of phishing emails, and of opening email attachments or clicking on links that do not come from a trusted source or contact. They should also deploy latest generation anti-malware solutions that can automatically extract suspicious content from emails before it reaches end-users,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

September 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.
This month, the Jsecoin cryptominer leads the top malware list, impacting 8% of organizations worldwide. XMRig is the second most popular malware, followed by AgentTesla, both with a global impact of 7%.

1. ↑ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. With Jsecoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
2. ↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
3. ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

September’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalent mobile malware, followed by AndroidBauts and Hiddad.

1. Lotoor – a hacking tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
3. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

September’s ‘Most Exploited’ vulnerabilities:

This month, the MVPower DVR Remote Code Execution vulnerability leads the top exploited vulnerabilities list with a global impact of 37%. The Linux System Files Information Disclosure vulnerability is second, closely followed by the Web Server Exposed Git Repository Information Disclosure, with both impacting 35% of organizations around the world.

1. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ Linux System Files Information Disclosure – Linux operating system contains system files with sensitive information. If not properly configured, remote attackers can view the information on such files.
3. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

Check Point’s Global Threat Impact Index and its ThreatCloud AI Map is powered by Check Point’s ThreatCloud AI intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud AI database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

The complete list of the top 10 malware families in September can be found on the Check Point Blog.

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_

About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud AI to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.