February 2020’s Most Wanted Malware : Increase in Exploits Spreading the Mirai Botnet to IoT Devices

• Check Point Research also reports that Emotet has been spreading via new SMS phishing Campaign

Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd., a leading provider of cyber security solutions globally, has published its latest Global Threat Index for February 2020.

February saw a large increase in exploits targeting a vulnerability to spread the Mirai botnet, which is notorious for infecting IoT devices and conducting massive DDoS attacks. The vulnerability, known as the “PHP php-cgi Query String Parameter Code Execution” exploit, ranked 6th in the top exploited vulnerabilities and impacted 20% of organizations worldwide, compared to just 2% in January 2020.

The research team is also warning organizations that Emotet, the second most popular malware this month and the most widespread botnet operating currently, has been spreading using two new vectors during February.  The first vector was an SMS Phishing (smishing) campaign targeting users in the U.S. : the SMS impersonates messages from popular banks, luring victims to click a malicious link which downloads Emotet to their device. The second vector is Emotet detecting and leveraging nearby Wi-Fi networks to spread via brute force attacks using a range of commonly-used Wi-Fi passwords.  Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

Emotet impacted 7% of organizations globally in February, down from 13% in January, when it was being spread via spam campaigns including Coronavirus-themed campaigns.  This highlights how quickly cyber-criminals change the themes of their attacks to try and maximise infection rates.


“As we saw in January, the most impactful threats and exploits during February were versatile malware such as XMRig and Emotet.  Criminals seem to be aiming to build the largest possible networks of infected devices, which they can then exploit and monetize in a range of different ways, from ransomware delivery to launching DDoS attacks,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “As the main infection vectors are emails and SMS messages, organizations should ensure their employees are educated about how to identify different types of malicious spam, and deploy security that actively prevents these threats from infecting their networks.”


Top malware families

This month, XMRig moved up to first place, impacting 7% of organizations globally, followed by Emotet and Jsecoin impacting 6% and 5% of organizations worldwide respectively.

  1. ↑ XMRig – XMRig is an open-source CPU mining software used for mining the Monero cryptocurrency, and was first seen in-the-wild on May 2017.
  2. ↓ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be primarily a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence, and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  3. ↑Jsecoin – Jsecoin is a web-based crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user machines¿ computational resources to mine coins, thus impacting the system performance.

Top exploited vulnerabilities

This month, the “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, impacting 31% of organizations globally, closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 28%.  In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 27% of organizations worldwide.

  1. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  3.  PHP DIESCAN information disclosure- An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.

Top malware families- Mobile

This month xHelper retained the 1st place in the most prevalent mobile malware, followed by Hiddad and Guerrilla.

  1.  xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
  2.  Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  3.  Guerrilla– Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.