April 2019’s Most Wanted Malware: Cyber Criminals Up to Old ‘Trickbots’ Again

Multi-purpose banking trojans such as Trickbot have been a popular choice for cyber criminals looking for financial gain. Trickbot campaigns increased sharply with several American Tax Day-themed spam campaigns timed to coincide with the April 15th deadline for individual income tax returns in the U.S. The spam campaigns spread Excel file attachments that downloaded Trickbot to victims’ computers to spread across networks, collect banking details, and possibly steal tax documents for fraudulent use.

While April’s three most common malware variants were crypto miners, the remaining seven of the top ten were multi-purpose trojans. This highlights the shift in tactics used by criminals to maximise their financial returns from campaigns, following the closure of several popular crypto mining services and the decline in crypto currency values over the past year.

Maya Horowitz, Threat Intelligence and Research Director at Check Point commented : “This month both Trickbot and Emotet made it to the top 10 malware list. This is especially worrisome, given the fact that both botnets are nowadays used not only to steal private data and credentials, but also to spread the Ryuk ransomware. Ryuk is notorious for targeting assets such as databases and backup servers, demanding a ransom of up to over a million dollars. As these malware constantly morph, it is crucial to have a robust line of defense against them with advanced threat prevention.”

April 2019’s Top 3 ‘Most Wanted’ Malware :

The arrows relate to the change in rank compared to the previous month :

1. ↑ Cryptoloot – Crypto-Miner that uses the victim’s CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing new currency. Originally a competitor to Coinhive, trying to pull the rug under it by asking a smaller percentage of revenue from websites.
2. ↑ XMRig– Open-source CPU mining software used to mine the Monero cryptocurrency, and first seen in-the-wild on May 2017.
3. ↑ Jsecoin – JavaScript miner that can be embedded in websites. With JSEcoin, you can run the miner directly in your browser in exchange for an ad-free experience, in-game currency and other incentives.

This month Triada is the most prevalent Mobile malware, replacing Hiddad at first place in the top mobile malware list. Lootor remains in second place, and Hiddad falls to third.

April’s Top 3 ‘Most Wanted’ Mobile Malware :

1. Triada – Modular Backdoor for Android which grants super user privileges to downloaded malware, that helps it to embed into system processes. Triada has also been seen spoofing URLs loaded in browsers.
2. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
3. Hiddad- Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

Check Point’s researchers also analyzed the most exploited cyber vulnerabilities. OpenSSL TLS DTLS Heartbeat Information Disclosure exploits is the most popular exploited vulnerability with a global impact of 44% of organization worldwide. For the first time after 12 months CVE-2017-7269 dropped from first place to the second, impacting 40% of organizations, followed by CVE-2017-5638 with a global impact of 38% of organizations around the world.

April’s Top 3 ‘Most Exploited’ vulnerabilities :

1. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
2. ↓ Microsoft IIS WebDAV ScStoragePathFromUrl Buffer Overflow (CVE-2017-7269) – By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause a denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request.
3. ↑ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.

Check Point’s Global Threat Impact Index and its Threat Cloud Map is powered by Check Point’s Threat Cloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The Threat Cloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

The complete list of the top 10 malware families in April can be found on the Check Point Blog