Global Threats H  2020  2019 

H  APT  Attack  BigBrother  Bot  BotNet  Cryptocurrency  Exploit  ICS  IoT  Phishing  Privacy  Ransom  Rootkit  Soc.engineering  Social Network  Spam  Virus  Vulnerebility  WiFi 


April 2020

Source: Checkpoint

Top malware families
*The arrows relate to the change in rank compared to the previous month.

This month Dridex rises to 1st place, impacting 4% of organizations globally, followed by XMRig and Agent Tesla impacting 4% and 3% of organizations worldwide respectively.

↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
↓ XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild in May 2017.
↑ Agent Tesla – Agent Tesla an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials belonging to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
↓ Jsecoin – Jsecoin is a web-based Crytpo miner designed to perform online mining of Monero cryptocurrency when a user visits a particular webpage. The implaned JavaScript uses a large amount of the end user machines’ computational resources to mine coins, thus impacting the system performance.
↓ Trickbot – Trickbo is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purposed campaigns.
↑ Ramnit – Ramnit is banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
↑ XHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user, and reinstalls itself when it is uninstalled.
↓ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet was once employed as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malware.
↓ RigEK – RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript which checks for vulnerable plug-ins and delivers the exploit.
Top exploited vulnerabilities
This month “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 46% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%. In 3rd place the “Command Injection Over HTTP Payload” vulnerability impacted 40% of organizations worldwide, mostly seen in attacks exploiting a zero-day vulnerability in “DrayTek” routers and switch devices (CVE-2020-8515).

MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulernability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↑ Command Injection Over HTTP Payload – A command injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561)– An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
↑ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
↑ PHP DIESCAN information disclosure – An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
↑WordPress portable-phpMyAdmin Plugin Authentication Bypass – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
↓ D-Link DSL-2750B Remote Command Execution – A remote code execution vulnerability has been reported in D-Link DSL-2750B routers. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
↑ OpenSSL Padding Oracle Information Disclosure – An information disclosure vulnerability exists in the AES-NI implementation of OpenSSL. The vulnerability is due to memory allocation miscalculation during a certain padding check. A remote attacker can exploit this vulnerability to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session.
↑ Joomla Object Injection Remote Command Execution – A remote command execution vulnerability has been reported in Joomla platforms. The vulnerability is due to lack of validation over input objects that can lead to remote code execution. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
Top malware families- Mobile
This month xHelper is still holding 1st place as the most prevalence Mobile malware, followed by Lotoor and AndroidBauts

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalls itself if it is uninstalled.
Lotoor – Lotoor is a hacking tool which exploits vulnerabilities on the Android operating system to gain root privileges on compromised mobile devices.
AndroidBauts – AndroidBauts is an Adware that targets Android users. It exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.