Major shifts in rankings occurred for both desktop and mobile malware last month, reflecting the hacker frenzy to victimizing remote-workers.

Several malicious spam campaigns distributing the Ursnif banking trojan were making waves in May this year, causing it to jump up 19 places to fifth spot in Check Point’s Top Malware list and doubling its impact on organizations worldwide.

The Ursnif banking trojan targets Windows PCs and steals vital financial information, email credentials and other sensitive data. The malware is delivered in malicious spam campaigns via Word or Excel attachments.

The new wave of Ursnif trojan attacks—which saw it enter the Top Malware index’s top 10 for the first time—coincides with reports about the demise of one of its popular variants, Dreambot. Dreambot was first spotted in 2014 and it is based on Ursnif’s leaked source code. As reported since March 2020, Dreambot’s backend server has gone down, and no new Dreambot samples have been seen in the wild.

Meanwhile, the well-known banking trojan Dridex, which entered the malware top 10 for the first time in March, continued to have a significant impact throughout May, remaining in first place for the second month running. The most prevalent mobile malware families also completely changed in May, with Android malware that generates fraudulent revenue from clicking on mobile adverts dominating the mobile index. This shows that criminals are trying to monetize attacks against mobile devices.

Said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point: “While COVID-19-related attacks have fallen, we have seen a 16% increase in overall cyberattacks in May compared to March and April, so organizations must remain vigilant by using certain tools and techniques, especially with the mass shift to remote-working, which attackers are taking advantage of.”

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Dridex remains in 1st place, impacting 4% of organizations globally, followed by Agent Tesla and XMRig, both impacting 3% of organizations worldwide.

  1. ↔ Dridex 
    Dridex is a Trojan that targets the Windows platform and it is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
  2. ↑ Agent Tesla 
    Agent Tesla is an advanced remote access trojan functioning as a keylogger and information stealer that is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
  3. ↓ XMRig
    XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and it was first seen in the wild in May 2017.

Top exploited vulnerabilities

This month MVPower DVR Remote Code Execution” still holds first place as the most commonly-exploited vulnerability, impacting 45% of organizations globally. The second most popular exploited vulnerability is “OpenSSL TLS DTLS Heartbeat Information Disclosure”, closely followed by “Web Server Exposed Git Repository Information Disclosure” impacting 40% and 39% of organizations respectively.

Top malware families – Mobile

This month, the top three malware families completely changed, with PreAmo in 1st place as the most prevalent Mobile malware, followed by Necro and Hiddad.

  1. PreAmo is an Android Malware that creates clicks (on the user’s behalf) on banners retrieved from three ad agencies: Presage, Admob, and Mopub.
  2. Necro  is an Android Trojan Dropper. It can download other malware, show intrusive ads and steal money by charging paid subscriptions.
  3. Hiddad is an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

The complete list of the top 10 malware families in May can be found on the Check Point Blog.