June 2019’s Most Wanted Malware: Emotet Takes a Break, but Possibly Not for Long

Check Point’s researchers confirm the Emotet botnet infrastructure has been inactive for most of June, but may return with new capabilities

SAN CARLOS, Calif., July 09, 2019 (GLOBE NEWSWIRE) -- Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for June 2019.  The research team confirms that Emotet (the largest Botnet currently in operation) has been down, with no new campaigns seen during most of June. Emotet has featured in the top 5 malware globally during the first six months of 2019, and has been distributed in massive spam campaigns.

Check Point’s researchers believe that Emotet’s infrastructure could be offline for maintenance and upgrade operations, and that as soon as its servers are up and running again, Emotet will be reactivated with new, enhanced threat capabilities.

“Emotet has been around as a banking Trojan since 2014. Since 2018 however we have seen it being used as a botnet in major malspam campaigns and used to distribute other malwares. Even though its infrastructure has been inactive for much of June 2019, it was still #5 in our global malware index, which shows just how much it is being used – and it’s likely that it will re-emerge with new features,” said Maya Horowitz, Director Threat Intelligence & Research at Check Point.

“Once Emotet is installed on a victim’s machine, it can use it to spread itself via further spam campaigns, download other malwares (like Trickbot, which in turn infects the entire hosting network with the infamous Ryuk Ransomware), and spread to further assets in the network.”

June 2019’s Top 3 ‘Most Wanted’ Malware:
*The arrows relate to the change in rank compared to the previous month.
The three most prominent Cryptominers still leading the list, this month XMRig was the most prominent malware impacting 4% of organizations worldwide, closely followed by Jsecoin and Cryptoloot, both impacting 3% of organizations globally.

  1. ↑ XMRig - Open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  2. ↑ Jsecoin - JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  3. ↓ Cryptoloot - Crypto-Miner, using the victim’s CPU or GPU power and existing resources for crypto mining - adding transactions to the blockchain and releasing new currency. It was a competitor to Coinhive, trying to pull the rug under it by asking less percent of revenue from websites.            

June’s Top 3 ‘Most Wanted’ Mobile Malware:
Lotoor keeps leading the mobile top malware list, followed by Triada and Ztorg - a new malware in the top list.

  1. Lotoor- Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.
  2. Triada- Modular Backdoor for Android which grants super user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  3. Ztorg- Trojans in the Ztorg family obtain escalated privileges on Android devices and install themselves in the system directory. The malware is able to install any other application on the device.

June’s ‘Most Exploited’ vulnerabilities:
In June we saw SQL Injections techniques keep leading the top exploits vulnerabilities list with a global impact of 52%. OpenSSL TLS DTLS Heartbeat Information Disclosure ranked second impacting 43% of organization globally, closely followed by CVE-2015-8562 with a global impact of 41% of organizations worldwide.

1.       SQL Injection (several techniques)- Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application's software.

2.    ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

3.       Joomla Object Injection Remote Command Execution (CVE-2015-8562)- A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

* The complete list of the top 10 malware families in June can be found on the Check Point Blog: https://blog.checkpoint.com/2019/07/09/june-2019s-most-wanted-malware-emotet-crypto-malware-mining-xmrig/

Check Point’s Threat Prevention Resources are available at: http://www.checkpoint.com/threat-prevention-resources/index.html

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch

About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally.  Check Point’s solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and advanced targeted threats. Check Point offers a multilevel security architecture, “Infinity Total Protection with Gen V advanced threat prevention”, this combined product architecture defends an enterprises’ cloud, network and mobile devices. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

Kip E. Meintzer Emilie Beneitez Lefebvre 
Check Point Software Technologies Check Point Software Technologies
+1.650.628.2040+44 7785 38302