November’s Top 3 ‘Most Wanted’ malware

Emotet has maintained its position at the top of the malware list with a global impact of 9%. XMRig was the second most popular malware impacting 7% of organizations worldwide, followed by Trickbot, impacting 6% of organizations globally. See the list below, with the double-headed arrows The arrows relate to the change in rank compared to the previous month.

  1. Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was formerly a banking Trojan, and recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency which was first seen in-the-wild on May 2017.
  3. Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

November’s Top 3 ‘Most Wanted’ Mobile Malware:

This month xHelper – a new entry to our top malware list – was the most prevalent mobile malware, followed by Guerilla and Lotoor.

      1. xHelper – A malicious Android application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and mobile anti-virus programs, and reinstalls itself if the user uninstalls it.

      2. Guerrilla – An Android Trojan found embedded in multiple legitimate apps which is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.

      3. Lotoor – A hack tool that exploits vulnerabilities on the Android operating system in order to gain root privileges on compromised mobile devices.

  1. SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software
  2. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server
  3. MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request

The Global Threat Impact Index and its ThreatCloud Map is powered by the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, 11 million malware signatures, and over 5.5 million infected websites. It identifies millions of malware types daily.  The complete list of the top 10 malware families in November can be found on the Check Point Blog.