Check Point Research, the research department of Check Point Software Technologies, has published its latest Global Threat Catalog for April 2020. The research team reports that a new version of AgentTesla remote access trojan (RAT) is being distributed through related spam campaigns regarding the new corona virus. This malware was ranked third on the list, affecting 3% of organizations worldwide. The new version of AgentTesla has been modified to extract, in addition to other information such as login details to Outlook email accounts, Wi-Fi passwords. During April, AgentTesla was used as an attachment to several malicious campaigns involving COVID-19 mail, which, under the pretext of providing interesting information about the coronavirus pandemic, prompted the user to “download” archives. In one of these campaigns, the sender was the World Health Organization and the subject of the email was “URGENT INFORMATION LETTER: FIRST HUMAN COVID-19 VACCINE TEST / RESULT UPDATE”. This incident highlights the fact that hackers are exploiting global events and public concerns to increase the success rates of their attacks.
The popular banking trojan Dridex, which topped the list of the most malicious software for the first time in March, had an even bigger impact in April. In particular, it was ranked first on the relevant list, the third in which it found itself last month, affecting 4% of organizations worldwide. XMRig, the most popular malware in March, dropped to second place.
The research team also notes that MVPower DVR Remote Code Execution vulnerabilities were the most frequently exploited, as was March, affecting 45.6% of organizations worldwide. This was followed by OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability, with an impact of 41% globally, while in third place was Command Injection Over HTTP Payload vulnerability.
The 3 most common malware threats:
In April, Dridex came in first, affecting 4% of organizations worldwide. This was followed by XMRig and AgentTesla, affecting 4% and 3% of organizations worldwide, respectively.
- Dridex – Dridex is a trojan that targets the Windows platform and reportedly installs through the execution of a file attached to unwanted mail campaigns. Dridex comes in contact with a remote server and sends information about the infected system. It can also download and execute special data received from the remote server.
- XMRig – XMRig is an open source CPU mining software used for the production process of the Monero cryptocurrency and was first released in May 2017.
- AgentTesla – AgentTesla is an advanced RAT that works as a keylogger and password-stealing software infecting computers since 2014. AgentTesla has the ability to track and collect victim keyboard and system keyboard entries, receive snapshots and snapshots remove credentials from software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is sold as a legal RAT with interested parties paying $ 15- $ 69 for a user license.
The 3 most common malware threats:
In April, xHelper remained in first place as the most popular malware for mobile devices. Lotoor and AndroidBauts followed.
- xHelper – A malicious application that targets devices with Android OS. It was first spotted in March 2019 and is used to download other malicious applications and display ads. The application is capable of being “hidden” by the user and antivirus programs for mobile devices and if it is uninstalled it can be reinstalled automatically.
- Lotoor – A hacking tool that exploits vulnerabilities in the Android operating system to gain root access to infringing mobile devices.
- AndroidBauts – This is Adware that targets Android users. The software eliminates IMEI, IMSI, GPS location and other device information and allows third-party applications to be installed on the device.
The full list of the most common malware threats in Greece for April is:
- AgentTesla – AgentTesla is an advanced RAT that works as a keylogger and password-stealing software infecting computers since 2014. AgentTesla has the ability to track and collect victim keyboard and system keyboard entries, receive snapshots and snapshots remove credentials from software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is sold as a legal RAT with interested parties paying $ 15- $ 69 for a user license.
- Lokibot – Lokibot is information phishing software that is mainly distributed via e-mail (phishing) and is used to spy on data such as e-mail credentials, as well as passwords on e-wallets, cryptocurrencies and FTP servers.
- Trickbot – Trickbot is a variant of Dyre that appeared in October 2016. Since then, it has targeted mainly banking users in Australia and the United Kingdom and recently began appearing in India, Singapore and Malaysia.
- Dridex – Dridex is a banking trojan that targets the Windows platform. As observed, it is distributed through unwanted mail campaigns and Exploit Kits. It is based on WebInjects to monitor and redirect bank account data to a server controlled by the attacker. Dridex comes in contact with a remote server, sends information about the “infected” system, and can also download and run additional modules for remote control.
- XMRig – XMRig is an open source CPU mining software used for the production process of the Monero cryptocurrency and was first released in May 2017.
- Kryptik – Kryptik is a Trojan horse aimed at the Windows platform. It collects information about the system and sends it to the remote server. It can download and run additional malware files on an infected system.
- Jsecoin – JavaScript mining software that can be embedded in websites. With JSEcoin, you can run mining software directly in the browser in exchange for browsing experience without ads, game coins and other incentives.
- xHelper – A malicious application that targets devices with Android OS. It was first spotted in March 2019 and is used to download other malicious applications and display ads. The application is able to be “hidden” by the user.
- Nanobot – Nanobot is a botnet with hosts controlled by NanoCore RAT, a remote Trojan that targets users of the Windows operating system. All versions of RAT include basic features such as screen recording, cryptocurrency mining, remote desktop handling and webcam camera theft. NanoCore is selling on a forum on the dark web for about $ 25, and several versions of RAT have leaked over time.
- Joker – Joker is a family of malware that is linked to fraud related to charges. It appeared in 2017 but began to be used extensively in 2019. It is advertised as a legal application, but once installed, it performs scams either via SMS (sending text messages to high-charge services) or taking advantage of WAP charge technology.
Malware software family | Global impact | Impact in Greece |
---|---|---|
Agenttesla | 2.76% | 14.79% |
Lokibot | 1.86% | 9.51% |
Trickbot | 2.36% | 9.51% |
Dridex | 3.96% | 6.69% |
XMRing | 3.58% | 5.63% |
Kryptik | 0.41% | 4.93% |
Jsecoin | 2.70% | 4.58% |
xHelper | 1.83% | 3.17% |
Nanobot | 0.70% | 3.17% |
Joker | 0.10% | 2.82% |
Larissa TEAM