Sharp increase in attacks from a new version of Agent Tesla; the Dridex banking trojan was the most common threat.

For the month of April, researchers saw several COVID-19 related spam campaigns distributing a new variant of the Agent Tesla remote access trojan, impacting 3% of organizations worldwide.

The new variant of Agent Tesla has been modified to steal wi-fi passwords in addition to other information such as Outlook email credentials, from target PCs.

In that month, Agent Tesla was distributed as an attachment in several malicious COVID-19 related spam campaigns, which attempted to lure the victim into downloading malicious files under the cover of providing interesting information about the pandemic. One of these campaigns claimed to be sent by the World Health Organisation with the subject ‘Urgent Information Letter: First Human Covid-19 Vaccine Test/Result Update.’  This highlights how hackers will exploit global news events and public concerns to increase their attack success rates.

Also in limelight on Check Point’s Global Threat Index for April was the well-known banking trojan Dridex, which entered the top 10 for the first time in March, and now has an even greater impact in April. It moved up to 1st place in the index from 3rd last month, impacting 4% of organizations worldwide. XMRig, March’s most prevalent malware, has dropped to second place.

Said Maya Horowitz, Director, Threat Intelligence & Research, Products, Check Point: “The Agent Tesla malspam campaigns we saw in April underline just how agile cybercriminals can be when it comes to exploiting news events and tricking unsuspecting victims to click on an infected link. With both Agent Tesla and Dridex in the top three of the threat index, criminals are focusing on stealing users’ personal and business data and credentials so that they can monetize them. So it’s essential that organizations take a proactive and dynamic approach to user education, keeping their staff informed of the latest tools and techniques, particularly as more staff are now working from home.”

The research team also warns that “MVPower DVR Remote Code Execution” remains the most common exploited vulnerability: its impact increased to cover 46% of organizations globally. This was closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%, followed by “Command Injection Over HTTP Payload” impacting 40% of organizations worldwide.

Top malware families

For April 2020, Dridex rises to 1st place, impacting 4% of organizations globally, followed by XMRig and Agent Tesla impacting 4% and 3% of organizations worldwide respectively.

  1. Dridex: This is a Trojan that targets the Windows platform and it is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
  2. XMRig: This is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild in May 2017.
  3. Agent Tesla: This is an advanced RAT functioning as a keylogger and information stealer that is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).

Top exploited vulnerabilities

April’s “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 46% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%. In 3rd place the “Command Injection Over HTTP Payload” vulnerability impacted 40% of organizations worldwide, mostly seen in attacks exploiting a zero-day vulnerability in “DrayTek” routers and switch devices (CVE-2020-8515).

  1. MVPower DVR Remote Code Execution: A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346): An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  3. Command Injection Over HTTP Payload: A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

Top malware families (Mobile)

This month xHelper is still holding 1st place as the most prevalent mobile malware, followed by Lotoor and AndroidBauts.

  1. xHelper: A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalls itself if it is uninstalled.
  2. Lotoor: This is a hacking tool that exploits vulnerabilities on the Android operating system to gain root privileges on compromised mobile devices.
  3. AndroidBauts: AndroidBauts is an Adware that targets Android users. It exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.

The complete list of the top 10 malware families in April can be found on the Check Point Blog.