An updated Dridex has spread via multiple spam campaigns to deliver targeted ransomware, increasing the risk from the long-established trojan.

The Global Threat Index for March 2020 has listed for the first time, the well-known banking trojan named Dridex.

Making its debut in 2011, Dridex has since been updated and is now being used in the early attack stages for downloading targeted ransomware, such as BitPaymer and DoppelPaymer.

The sharp increase in the use of Dridex was driven by several spam campaigns containing a malicious Excel file which downloads Dridex malware into the victims’ computer. This upsurge in Dridex malware highlights just how quickly cyber-criminals change the themes of their attacks to try and maximize infection rates.

Dridex is a sophisticated strain of banking malware that targets the Windows platform, delivering spam campaigns to infect computers and steal banking credentials and other personal information to facilitate fraudulent money transfer. The malware has been systematically updated and developed over the past decade.

Other malware in the top 10 list include XMRig which remains in 1st place in the Index of top malware families, impacting 5% of organizations globally, followed by Jsecoin and Dridex which impacted 4% and 3% of organizations worldwide respectively.

Said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point, which publishes the global threat index: “Dridex appearing for the first time as one of the top malware families shows how quickly cybercriminals can change their methods. This kind of malware can be very lucrative for criminals given its sophistication, and is now being used as a ransomware downloader, which makes it even more dangerous than previous variants.”

Individuals need to be wary of emails with attachments, even if they appear to originate from a trusted source—especially with the explosion in home working over the past few weeks. “Organizations need to educate employees on how to identify malicious spam, and deploy security measures that help protect their teams and networks against such threats,”  Horowitz added.

His research team also warns that “MVPower DVR Remote Code Execution” remained the most commonly exploited vulnerability, impacting 30% of organizations globally, closely followed by “PHP php-cgi Query String Parameter Code Execution” with a global impact of 29%, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” impacting 27% of organizations worldwide.

Top malware families

1. XMRig—XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild on May 2017.
   
2. Jsecoin—Jsecoin is a web-based cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user’s computational resources to mine coins, thus impacting the system performance.
   
3. Dridex—Dridex is a banking trojan that targets the Windows platform, and is delivered by spam campaigns and exploit kits, which rely on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system and can also download and execute additional modules for remote control.

Top exploited vulnerabilities

1. MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
   
2. PHP php-cgi Query String Parameter Code Execution – A remote code execution vulnerability that has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation allows an attacker to execute arbitrary code on the target.
   
3. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Top malware families—Mobile

For March 2020 xHelper retained the first place in the most prevalent mobile malware, followed by AndroidBauts and Lotoor.

1. xHelper—A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstall itself in case if uninstalled.
   
2. AndroidBauts—Adware targeting Android users that exfiltrates IMEI, IMSI, GPS location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
   
3. Lotoor—A hacking tool that exploits vulnerabilities on Android operating systems to gain root privileges on compromised mobile devices.