Check Point’s researchers reported that the notorious Emotet botnet has been reactivated and is spreading active campaigns again after a 3month silence.

Check Point Research, the threat intelligence arm of Check Point Software Technologies, has published its latest Global Threat Index for September 2019.  

The Research team is warning organizations that the Emotet botnet has started spreading several new spam campaigns once again, after a three-month break. Researchers first reported the notorious botnet taking a break in June 2019, and that the offensive infrastructure had become active again in August.  

Some of the Emotet spam campaigns featured emails which contained a link to download a malicious Word file, and some contained the malicious document itself. When opening the file, it lures the victims to enable the document’s macros, which then installs the Emotet malware on the victim’s computer. Emotet was the 5th most prevalent malware globally in September.

“It’s not clear why the Emotet botnet was dormant for 3 months, but we can assume that the developers behind it were updating its features and capabilities. It’s essential that organisations warn employees about the risks of phishing emails, and of opening email attachments or clicking on links that do not come from a trusted source or contact. They should also deploy latest generation anti-malware solutions that can automatically extract suspicious content from emails before it reaches end-users,” said Maya Horowitz, Director, Threat Intelligence & Research at Check Point.  

September 2019’s top 3 ‘most wanted’ malware:

*The arrows relate to the change in rank compared to the previous month.

  • ↑ JsecoinJsecoin is JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.
  • ↓ XMRigXMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.
  • ↑ Agentesla- AgentTesla is an advanced RAT functioning as a keylogger and a password stealer. AgentTesla is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

September’s top 3 ‘most wanted’ mobile malware:

Lotoor is the most prevalent mobile malware, followed by AndroidBauts and Hiddad.

  • Lotoor – a hacking tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
  • AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
  • Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

September’s ‘most exploited’ vulnerabilities:

This September, the MVPower DVR Remote Code Execution vulnerability leads the top exploited vulnerabilities list with a global impact of 37%. The Linux System Files Information Disclosure vulnerability is second, closely followed by the Web Server Exposed Git Repository Information Disclosure, with both impacting 35% of organisations around the world.

  • MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  • Linux System Files Information Disclosure – Linux operating system contains system files with sensitive information. If not properly configured, remote attackers can view the information on such files.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.