In resurfacing after a short hiatus, the trojan now issues a fake dialog box to allay user suspicions of its actions.

In the final month of 2020, the Emotet trojan has returned to first place in the Check Point Top Malware list, impacting 7% of organizations globally, following a spam campaign that targeted over 100,000 users per day during the holiday season.

In September and October 2020, Emotet was consistently at the top of the index, and was linked to a wave of ransomware attacks. But in November it was much less prevalent, dropping to fifth place in the index. 

In resurfacing in December, the trojan has been updated with new malicious payloads and improved detection evasion capabilities: the latest version creates a dialog box that helps it evade detection.

Emotet’s new malicious spam campaign uses different delivery techniques to proliferate, including embedded links, document attachments, or password-protected Zip files. The US Department of Homeland Security has estimated that each incident involving Emotet costs organizations upwards of US$1 m dollars to rectify.

Said Maya Horowitz, Director, Threat Intelligence & Research, Products, Check Point: “Emotet was originally developed as banking malware which sneaked into users’ computers to steal private and sensitive information. However, it has evolved over time and is now seen as one of the most costly and destructive malware variants. It is imperative that organizations have robust security systems in place to prevent a significant breach of their data. They should also provide comprehensive training for employees, so they are able to identify the types of malicious emails which spread Emotet.”

What is on the Dec list

As in the past, the research team warned of the longstanding “MVPower DVR Remote Code Execution” as the most common exploited vulnerability, impacting 42% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impact 42% of organizations worldwide.

Top malware families

  1. Emotet 
  2. Trickbot  a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. It is a flexible and customizable malware that can be distributed as part of multi-purposed campaigns.
  3. Formbook – an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders. 

Top exploited vulnerabilities

  1. MVPower DVR Remote Code Execution – 42%
    This vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. HTTP Headers Remote Code Execution (CVE-2020-13756) – 42%
    This exploit lets the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
  3. Web Server Exposed Git Repository Information Disclosure – 41%
    This vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

Top mobile malware

  1. Hiddad – an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  2. xHelper – a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
  3. Triada – a modular backdoor for Android that grants Super User privileges to downloaded malware.