Echobot botnet launched large-scale attacks on iOT devices

Check Point experts prepared a Global Threat Index report on the most active threats in August 2019. Analysts note the activity of the Echobot botnet – it launched large-scale attacks on iOT devices, as well as the “return to life” of the Emotet botnet.

In a report, a research team warns of a new variation of the Mirai botnet – Echobot, which launched widespread attacks on smart devices. Echobot appeared in May 2019, and since then it has “learned” to use more than 50 different vulnerabilities.

Malware actively exploits the problems of remote command injection (Command Injection Over HTTP). Echobot attacks have already affected 34% of organizations worldwide.

“Echobot is a new variation of the Mirai botnet. We note a sharp increase in its use: it currently targets more than 50 different vulnerabilities and has already managed to affect more than 34% of companies around the world. Therefore, it is important that organizations regularly update all their networks, software, and IoT devices. In top-3 world threats arrived AgentTesla malware, which was actively spread in the summer months. Typically, phishing emails mimic those messages that are often sent during the holidays: information about booking and buying airline tickets, bills for them”, — commented the representatives of Check Point Software Technologies.

As the researchers suggested, in August, the infrastructure of another botnet, Emotet, was reactivated. The fact is that a couple of months ago, in June 2019, the number of malicious Emotet campaigns fell sharply. The Check Point team then suggested that the botnet infrastructure could be disabled for maintenance and upgrades.

The “release” of Emotet statements is by no means an out of the ordinary case. Botnets often take breaks in work, updating the infrastructure, or while their operators are resting. For example, the famous Dridex botnet was switched off every year from mid-December to mid-January, during the winter holidays.

Read also: Researchers found a link between Sodinokibi and GandCrab ransomware

As a result, the top of the most active malwares in August 2019 was the following.

The most active malware in August 2019 in the world:

• XMRig is open source software first discovered in May 2017. Used for mining cryptocurrency Monero
• Jsecoin is a JavaScript miner that can run the miner directly in the browser in exchange for displaying ads, in-game currency and other incentives.
• Dorkbot is an IRC-based worm designed for remote code execution by its operator, as well as for downloading additional malicious programs to an infected system.

The most active mobile threats in August 2019:

• Lotoor — a program that uses vulnerabilities in the Android operating system to obtain privileged root access on hacked mobile devices
• AndroidBauts — an adware malware that steals IMEI, IMSI, GPS data and other device information and allows you to install third-party applications on infected mobile devices.
• Triada – a modular backdoor that provides superuser privileges for downloaded malware, and also helps implement them in system processes. Triada has also been seen spoofing URLs loaded in a browser.