Global Threat Index: Emotet botnet suspended its activities

Check Point Research team (a division of Check Point Software Technologies) published a Global Threat Index report with the most active threats in June 2019.

The researchers report that Emotet (currently the largest botnet) is not working yet – almost all June there were no new campaigns. During the first half of 2019, Emotet was ranked among the top five malware programs worldwide and spread through large-scale spam campaigns.

Check Point researchers believe that Emotet infrastructure may be disabled for maintenance and upgrades. It is possible that once its servers are restarted, Emotet will be reactivated with new enhanced threat capabilities.

«Emotet has been around as a banking Trojan since 2014. Since 2018 however we have seen it being used as a botnet in major malspam campaigns and used to distribute other malwares. Even though its infrastructure has been inactive for much of June 2019, it was still #5 in our global malware index, which shows just how much it is being used — and it’s likely that it will re-emerge with new features”, — says Maya Horowitz, director threat intelligence and research at Check Point.

As soon as Emotet gets on the victim’s computer, the botnet can use the device to further spread spam campaigns, download other malicious programs (for example, Trickbot, which in turn infects the entire hosting network using the infamous ransomware program Ryuk), and spread to other resources on the network.

The most active malwares in June 2019 were:

• XMRig – Open source software, first discovered in May 2017. Used for mining Monero cryptocurrency;
• Jsecoin is a JavaScript miner who can mine directly in the browser in exchange for advertising, in-game currency and other treasures;
• Cryptoloot is a crypto liner that uses CPU or GPU power and existing resources for crypto mining – adding transactions to the blockchain and releasing a new currency. It is Coinhive competitor.

In June 2019’s, Lotoor continues to lead the ranking of mobile malware. It is followed by Triada and Ztorg – a new highscore malware.

• Lotoor is a program that uses vulnerabilities in the Android operating system to gain privileged root access on hacked mobile devices.
• Triada is a modular backdoor for Android, which provides superuser privileges for downloaded malware, and helps embed it in system processes. Triada has also been spotted for spoofing URLs uploaded to the browser.
• Ztorg – Trojans of the Ztorg family achieve extended privileges on Android devices and install themselves into the system catalog. The malware can also install any other application on the device.

The most common vulnerabilities in June 2019:

In June, researchers noted the leading position of SQL injection methods in the threat rating (52% of organizations around the world). Vulnerability in OpenSSL TLS DTLS Heartbeat and CVE-2015-8562 ranked second and third respectively, affecting 43% and 41% of organizations worldwide.