Another exciting month of malware and vulnerability limelight shifts for your undivided reference…
For August 2020, which malware and vulnerabilities had the greatest impact?
The answers are: the Qbot trojan (also known as Qakbot and Pinkslipbot), which has entered Check Point’s the top 10 most popular malware index for the first time; the Emotet trojan, which remains in first place for a second month, and the Web Server Exposed Git Repository Information Disclosure.
First seen in 2008, Qbot has been continually-developed and now uses sophisticated credentials-theft and ransomware installation techniques, making it the malware equivalent of a Swiss Army knife, according to researchers.
Qbot now also has a dangerous new feature: a specialized email collector module that extracts email threads from victims’ Outlook client and uploads them to an external remote server. This enables Qbot to hijack legitimate email conversations from infected users, and then spam itself out using those hijacked emails to increase its chances of tricking other users into getting infected. Qbot can also enable unauthorized banking transactions, by allowing its controller to connect to the victims’ computer.
Several campaigns using Qbot’s new strain were observed between March and August 2020, which included Qbot being distributed by the Emotet trojan. This campaign impacted 5% of organizations globally in July 2020.
Said Maya Horowitz, Director, Threat Intelligence & Research, Products, Check Point: “Threat actors are always looking at ways to update existing, proven forms of malware and they have clearly been investing heavily in Qbot’s development to enable data theft on a massive scale from organizations and individuals. We have seen active malspam campaigns distributing Qbot directly, as well as the use of third-party infection infrastructures like Emotet to spread the threat even further. Businesses should prevent such content reaching end-users and advise employees to be cautious when opening emails, even when they appear to be from a trusted source.”
Top malware families
For August 2020, Emotet remains the most popular malware with a global impact of 14% of organizations, closely followed by Agent Tesla and Formbook affecting 3% of organizations each.
- Emotet is an advanced, self-propagating and modular Trojan. Originally a banking Trojan, it has evolved to widespread use as a distributor of other malware or malicious campaigns via multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- Agent Tesla is an advanced remote access trojan functioning as a keylogger and information stealer, capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
- Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its command and control orders.
Top exploited vulnerabilities
Last month the Web Server Exposed Git Repository Information Disclosure was the most common exploited vulnerability, impacting 47% of organizations globally “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is in third place, with a global impact of 37%.
- Web Server Exposed Git Repository Information Disclosure: An information disclosure vulnerability that has been reported in the Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- MVPower DVR Remote Code Execution (43%): A remote code execution vulnerability that exists in MVPower DVR devices.
- Dasan GPON Router Authentication Bypass (37%): An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system. (CVE-2018-10561)
Top mobile malware families
xHelper was the most popular mobile malware of the month.
- xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
- Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions.
- Hiddad is an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.