Easter Phishing Scams Help Emotet Assert Its Dominance
Check Point Research (CPR) has released the Global Threat Index for March 2022. The security researchers report that Emotet continues its reign as the most popular malware, affecting 10 percent of companies worldwide, twice as many as in February.
Emotet is an advanced, self-propagating and modular Trojan that uses several methods of maintaining persistence and circumvention techniques in order not to be detected. Since its return in November last year and the recent news that Trickbot has been shut down, Emotet has expanded its position as the most widespread malware. This was further strengthened this month, as many aggressive email campaigns spread the botnet, including various phishing scams with the theme of Easter, taking advantage of the hustle and bustle of the festive season. These emails were sent to victims all over the world. An example of this was the subject line “buona pasqua, happy easter”, but attached to it was a malicious XLS file containing Emotet.
This month, Agent Tesla, an advanced COUNCIL that acts as a keylogger and information thief, is the second most common malware in the world, after being in fourth place last month. The rise of Agent Tesla is due to several new times spam campaigns that spread the ADVICE about malicious xlsx/pdf files worldwide. Some of these campaigns have used the Russia/Ukraine war to attract victims.
Maya Horowitz, Director of Threat Intelligence and Research and Products at Check Point
“Technology has evolved so much in recent years that cybercriminals are increasingly relying on human trust to break into a corporate network. By targeting your phishing emails on seasonal holidays such as Easter, you can take advantage of the hustle and bustle of the festive season and trick victims into downloading malicious attachments that contain malicious programs such as Emotet. In the run-up to the Easter weekend, we expect an increase in these scams and urge users to pay close attention, even if the email seems to come from a reputable source. Easter is not the only holiday, and cybercriminals will continue to use the same tactics to cause harm“ ” says Maya Horowitz, Director of Threat Intelligence and Research and Products at Check Point . “This month we also observed that Apache Log4j is again the most exploited vulnerability. Even after all the talk about this vulnerability at the end of last year, it is still causing damage months after the first discovery. Companies must immediately take measures to prevent attacks.“
CPR also revealed this month that education/research is still the most attacked industry worldwide, followed by government/military and Internet service providers/Managed Service Providers (ISP/MSP).
Top 3 Most Wanted Malware for Germany:
The arrows refer to the change in placement from the previous month.
Emotet is still in first place. IoT malware Mirai takes second place and Conti takes third place.
- ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. It was previously used as a banking Trojan, but currently serves as a propagator of other malicious programs or entire campaigns. He uses various methods to stay operational and knows evasive techniques to avoid detection. In addition, it can be spread through phishing emails that contain malicious attachments or links.
- ↑ Mirai – Mirai is a notorious Internet of Things (IoT) malware that tracks down vulnerable IoT devices such as web cameras, modems and routers and turns them into bots. The botnet is used by its operators to carry out massive DDoS (distributed denial of Service) attacks. The Mirai botnet first appeared in September 2016 and quickly made headlines with several large-scale attacks, including a massive DDoS attack that took the entire country of Liberia offline, and a DDoS attack against the Internet infrastructure company Dyn, which provides a significant part of the Internet infrastructure of the United States.
- ↑ Conti – Conti is a ransomware that is usually spread to random users through fake emails with an infected attachment. When the target user clicks on the link in one of these emails, the Conti ransomware triggers its encryption process and locks all the target files on the user’s computer, such as images, documents, audio files, etc.
The Top 3 Most Wanted Vulnerabilities:
This month, the most exploited vulnerability is Apache Log4j Remote Code Execution, which affects 33 percent of companies worldwide, followed by Web Server Exposed Git Repository Information Disclosure, which has fallen from first to second place, affecting 26 percent of companies worldwide. HTTP Headers Remote Code Execution still ranks third in the list of the most exploited vulnerabilities, with a global impact of 26 percent.
- ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – There is a vulnerability in Apache Log4j that allows an attacker to execute malicious code at will.
- ↓ Web Server Exposed Git Repository Information Disclosure – A vulnerability has been reported in Git Repository that exposes information. The successful exploitation of this vulnerability could allow unintentional disclosure of account information.
- ↔ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) – HTTP headers allow the client and the server to submit additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim machine.
The Top 3 Most Wanted Mobile Malware:
This month, the most common mobile malware is AlienBot, followed by xHelper and FluBot.
- ↑ AlienBot – The AlienBot malware family is a malware-as-a-Service (MaaS) for Android devices that allows an attacker to smuggle criminal code into legitimate financial applications as a first step. The attacker gains access to the victims’ accounts and eventually takes complete control of their device.
- ↔ xHelper – A mobile malware that has been occurring since March 2019 and is used to download other contaminated apps and display advertisements. The application is able to hide from the user and can even reinstall itself if it has been uninstalled.
- ↑ FluBot – FluBot is an Android malware that is spread via phishing SMS messages (smishing), which usually pretend to be logistics suppliers. As soon as the user clicks on the link in the message, he will be redirected to the download of a fake application containing FluBot. After installation, the malware has various functions for collecting login data and supporting the smishing operation itself, including uploading contact lists and sending SMS messages to other phone numbers.
Top 3 of the attacked industries and areas in Germany:
- ↑ ISP/MSP.
- ↑ Government/Military.
- ↑ SI/VAR/Distributor.
Check Point’s Global Threat Impact Index and its ThreatCloud Map are based on Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat data collected by hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This database is enriched by AI-based engines and exclusive research data from Check Point Research, the Intelligence & Research department of Check Point Software Technologies.