Christmas-themed and Greta Thunberg-linked spam were used to spread Emotet.

The latest Global Threat Index for December 2019 by Check Point Research has just reported that Emotet was the leading malware threat for the third month running, and was being disseminated using a range of spam email campaigns including ‘Support Greta Thunberg – Time Person of the Year 2019’ and ‘Christmas Party!’

The emails in both campaigns contained a malicious Microsoft Word document which, if opened by the recipient, attempts to download Emotet onto their computer. Emotet is primarily used as a distributor of ransomware or other malicious campaigns.

December also saw a significant increase in attempts to exploit the ‘Command Injection Over HTTP’ vulnerability, with 33% of organizations globally being targeted. This vulnerability rose from being the fifth most exploited in November to the top position last month. If successfully exploited, the payload was a DDoS botnet:  the malicious file used in the attack also contained a number of links to payloads exploiting vulnerabilities in several IoT devices from manufacturers including D-Link, Huawei and RealTek, with the aim of recruiting these devices into botnets.

Said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point: “Over the past three months, the threats impacting most organizations have been versatile, multi-purpose malware like Emotet and xHelper. These give cyber-criminals multiple options for monetizing attacks, as they can be used for distributing ransomware or spreading further spam campaigns. The aim for criminals is to get a foothold in as many organizations and devices as possible, so that subsequent attacks can be more lucrative and damaging.  So, it’s critical that organizations educate their employees about the risks of opening email attachments, downloading resources or clicking on links that do not come from a trusted source or contact.”

December 2019’s Top 3 ‘Most Wanted’ Malware:

Emotet impacted 13% of organizations globally in December, up from 9% in November. XMRig and Trickbot each impacted 7% of organizations.

1.  Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was formerly a banking Trojan, and recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.

2.   XMRig –  XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.

3.    Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.

December’s Top 3 ‘Most Wanted’ Mobile Malware:

xHelper and Guerrilla continue to hold the top two positions of the mobile malware index.

  1. xHelper – A malicious Android application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and mobile anti-virus programs, and reinstalls itself if the user uninstalls it.
  2. Guerrilla – An Android Trojan found embedded in multiple legitimate apps which is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.
  3. Hiddad – Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also access key security details built into the OS. 

December’s ‘Most Exploited’ vulnerabilities:

The ‘Command Injection Over HTTP’ was the most common exploited vulnerability, impacting 33% of organizations globally. In second place, the MVPower DVR Remote Code Execution vulnerability impacted 32% of organizations, and the Web Server Exposed Git Repository Information Disclosure impacted 29%.

1.     Command Injection Over HTTP – A command Injection over HTTP vulnerability can be exploited by a remote attacker by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

2.     MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

3.      Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.