Coronavirus (COVID-19) is having major impacts on the world. This week we seen Mobile World Congress cancelled, the Chinese Formula 1 GP postponed and now it’s impacting the upcoming Japan 2020 Olympics.
To make what is an already terrible global situation worse, cyber criminals are leveraging people’s fears around the deadly virus to spread Malware. If you’re thinking that sounds like terrible behaviour, you’re right, but bad actors continue to prove that they have no moral compass.
Emotet spreads primarily through emails that often contain malicious scripting or macro-enabled attachments. Links in the email body can also take users to malicious websites that also cause the infection. Once infected, computers can often hijacked to be part of a botnet or cryptolockered with ransomware.
The Threat Intelligence arm of Check Point Software Technologies. has published its latest Global Threat Index for January 2020. The research team reported that Emotet was the leading malware threat for the fourth month running, and was being spread during the month using a Coronavirus-themed spam campaign.
The emails appear to be reporting where Coronavirus is spreading, or offering more information about the virus, encouraging the victim to open the attachments or click the links which, if opened, attempt to download Emotet on their computer. Emotet is primarily used as a distributor of ransomware or other malicious campaigns.
In Southeast Asia (SEA), Emotet is ranked top 5 this month in most of the SEA countries, including Singapore (2nd), Malaysia (3rd), Thailand (2nd), Philippines (5th), and Vietnam (4th). What’s interesting here is, Emotet is not on the top 10 list for Indonesia. Coincidently, there are no reported cases of the Coronavirus in Indonesia.
January also saw an increase in attempts to exploit the ‘MVPower DVR Remote Code Execution’ vulnerability, impacting 45% of organisations globally. This rose from being the third most exploited vulnerability in December to the top position this month. If successfully exploited, a remote attacker can exploit this weakness to execute arbitrary code on the targeted machine.
“As with last month, the ‘most wanted’ malicious threats impacting organizations continue to be versatile malware such as Emotet, XMRig and Trickbot, which collectively hit over 30% of organisations worldwide.
Businesses need to ensure their employees are educated about how to identify the types of topical spam emails that are typically used to propagate these threats, and deploy security that actively prevents these threats from infecting their networks and leading to ransomware attacks or data exfiltration.”
Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.
The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.
January 2020’s Top 3 ‘Most Wanted’ Malware:
Emotet is holding the 1st place impacting 13% of organisations globally, followed by XMRig and Trickbot impacting 10% and 7% of organisations worldwide respectively.
- Emotet – an advanced, self-propagate and modular Trojan. Emotet used to be primarily a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence, and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- XMRig – an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
- Trickbot – a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customisable malware that can be distributed as part of multi purposed campaigns.
January’s Top 3 ‘Most Wanted’ Mobile Malware:
- xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalling itself if it is uninstalled.
- Guerrilla – An Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
- AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
January’s ‘Most Exploited’ vulnerabilities:
The “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 45% of organisations globally, followed by “Web Server Exposed Git Repository Information Disclosure” with an impact of 44% and the “PHP DIESCAN information disclosure” vulnerability impacting 42%.
- MVPower DVR Remote Code Execution – A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- PHP DIESCAN information disclosure – An information disclosure vulnerability reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
The complete list of the top 10 malware families in December can be found on the Check Point Blog.
If you want the official data on Coronavirus, John Hopkins University has a great visualisation using ESRI’s ArcGIS Mapping solution.