New info-stealing malware variant arises

An updated version of Valak malware has entered Checkpoint Research’s Global Threat Index for the first time, ranking as the 9^th most prevalent malware in September 2020.

First observed in late 2019, Valak is a sophisticated threat which was previously classified as a malware loader. In recent months, new variants were discovered with significant functional changes which enable Valak to operate as an information-stealer capable of targeting both individuals and enterprises. This new version of Valak is able to steal sensitive information from Microsoft Exchange mail systems, as well as users’ credentials and domain certificates. During September, Valak was spread widely by malspam campaigns containing malicious .doc files.

The Emotet trojan remains in 1^st place in the Index for the third month in succession, impacting 14% of organizations globally. The Qbot trojan, which entered the listing for the first time in August, was also widely used in September, rising from 10th to 6th in the index.

“These new campaigns spreading Valak are another example of how threat actors look to maximize their investments in established, proven forms of malware. Together with the updated versions of Qbot which emerged in August, Valak is intended to enable data and credentials theft at scale from organizations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users, and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organizations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” had a global impact of 36%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet remains the most popular malware with a global impact of 14% of organizations, followed by Trickbot and Dridex impacting 4% and 3% or organizations worldwide respectively.

1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
2. ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
3. ↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.

Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organizations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organizations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” is in third place, with a global impact of 36%.

1. ↑MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Top mobile malware families

This month xHelper is the most popular mobile malware, followed by Xafecopy and Hiddad.

1. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
2. Xafekopy – Xafecopy Trojan is disguised as useful apps like Battery Master. The Trojan secretly loads malicious code onto the device. Once the app is activated, the Xafecopy malware clicks on web pages with Wireless Application Protocol (WAP) billing – a form of mobile payment that charges costs directly to the user’s mobile phone bill.
3. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.