February 2020’s Most Wanted Malware: Increase in Exploits Spreading the Mirai Botnet to IoT Devices

Check Point Research also reports that Emotet has been spreading via new SMS phishing Campaign

SAN CARLOS, Calif., March 11, 2020 (GLOBE NEWSWIRE) -- Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for February 2020. 

February saw a large increase in exploits targeting a vulnerability to spread the Mirai botnet, which is notorious for infecting IoT devices and conducting massive DDoS attacks. The vulnerability, known as the “PHP php-cgi Query String Parameter Code Execution” exploit, ranked 6th in the top exploited vulnerabilities and impacted 20% of organizations worldwide, compared to just 2% in January 2020.

The research team is also warning organizations that Emotet, the second most popular malware this month and the most widespread botnet operating currently, has been spreading using two new vectors during February.  The first vector was an SMS Phishing (smishing) campaign targeting users in the U.S.: the SMS impersonates messages from popular banks, luring victims to click a malicious link which downloads Emotet to their device. The second vector is Emotet detecting and leveraging nearby Wi-Fi networks to spread via brute force attacks using a range of commonly-used Wi-Fi passwords.  Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

Emotet impacted 7% of organizations globally in February, down from 13% in January, when it was being spread via spam campaigns including Coronavirus-themed campaigns.  This highlights how quickly cyber-criminals change the themes of their attacks to try and maximise infection rates. 

“As we saw in January, the most impactful threats and exploits during February were versatile malware such as XMRig and Emotet.  Criminals seem to be aiming to build the largest possible networks of infected devices, which they can then exploit and monetize in a range of different ways, from ransomware delivery to launching DDoS attacks,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “As the main infection vectors are emails and SMS messages, organizations should ensure their employees are educated about how to identify different types of malicious spam, and deploy security that actively prevents these threats from infecting their networks.” 

Top malware families
*The arrows relate to the change in rank compared to the previous month.

This month, XMRig moved up to first place, impacting 7% of organizations globally, followed by Emotet and Jsecoin impacting 6% and 5% of organizations worldwide respectively.

  1. ↑ XMRig - XMRig is an open-source CPU mining software used for mining the Monero cryptocurrency, and was first seen in-the-wild on May 2017.
  2. ↓ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be primarily a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence, and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  3. ↑Jsecoin - Jsecoin is a web-based crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user machines¿ computational resources to mine coins, thus impacting the system performance.

Top exploited vulnerabilities
This month, the “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, impacting 31% of organizations globally, closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 28%.  In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 27% of organizations worldwide.
1. ↔ MVPower DVR Remote Code Execution - A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3.  PHP DIESCAN information disclosure- An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.

Top malware families- Mobile
This month xHelper retained the 1st place in the most prevalent mobile malware, followed by Hiddad and Guerrilla.

1.   xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
2.   Hiddad - Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
3.   Guerrilla- Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers. 

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.

The complete list of the top 10 malware families in February can be found on the Check Point Blog.  

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_

About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally.  Check Point’s solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and advanced targeted threats. Check Point offers a multilevel security architecture, “Infinity Total Protection with Gen V advanced threat prevention”, this combined product architecture defends an enterprises’ cloud, network and mobile devices. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

Emilie Beneitez Lefebvre Kip E. Meintzer
Check Point Software Technologies Check Point Software Technologies
press@checkpoint.com ir@us.checkpoint.com