Global Threats

Globální hrozby H Analýza Globální hrozby Statistika Risk Trendy Predictions Graf

H APT Attack BigBrother Bot BotNet Cryptocurrency Exploit ICS IoT Phishing Privacy Ransom Rootkit Soc.engineering Social Network Spam Virus Vulnerebility WiFi

August 2020’s Most Wanted Malware

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet remains the most popular malware with a global impact of 14% of organizations, closely followed by Agent Tesla and Formbook affecting 3% of organizations each.

↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer , capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
Top exploited vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most common exploited vulnerability, impacting 47% of organizations globally, followed by “MVPower DVR Remote Code Execution” which impacted 43% of organizations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is in third place, with a global impact of 37%.

↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability that has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
↓MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
Top mobile malware families

This month xHelper is the most popular mobile malware, followed by Necro and Hiddad.

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
Necro – Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions.
Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

July 2020’s Most Wanted Malware

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet is the most popular malware with a global impact of 5% of organizations, closely followed by Dridex and Agent Tesla affecting 4% of organizations each.

↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
↓ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 44% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” which impacts 42% of organizations worldwide. “Command Injection Over HTTP Payload” is in third place, with a global impact of 38%.

↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability that exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↑ Command Injection Over HTTP Payload – A command injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
Top mobile malware families

This month xHelper is the most popular malware, followed by Necro and PreAMo.

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
Necro – Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions.
PreAMo – PreAmo is an Android Malware imitates the user by clicking on banners retrieved from three ad agencies – Presage, Admob, and Mopub.

June 2020’s Most Wanted Malware

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Agent Tesla is the most popular malware with a global impact of 3% of organizations, closely followed by Phorpiex and XMRig affecting 2% of organizations each.

↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
↑ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large-scale Sextortion campaigns.
↔ XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in the wild on May 2017.
Top exploited vulnerabilities

This month “OpenSSL TLS DTLS Heartbeat Information Disclosure” is the most common exploited vulnerability, affecting 45% of organizations globally, closely followed by “MVPower DVR Remote Code Execution” which impacts 44% of organizations worldwide. “Web Server Exposed Git Repository Information Disclosure” remains in third place, with a global impact of 38%.

↑OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↓ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↔ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
Top mobile malware families

This month Necro is the most popular malware, following by Hiddad and Lotoor.

Necro – Necro is an Android Trojan Dropper. It is capable of downloading other malware, showing intrusive ads and stealing money by charging paid subscriptions.
Hiddad – Hiddad is an Android malware, which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
Lotoor – Lotoor is a hacking tool that exploits vulnerabilities on the Android operating system to gain root privileges on compromised mobile devices.

May 2020’s Most Wanted Malware

Top Malware Families

* The arrows relate to the change in rank compared to the previous month.

This month Dridex remains in 1st place, impacting 4% of organizations globally, followed by Agent Tesla and XMRig, both impacting 3% of organizations worldwide.

↔ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
↓ XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.

Top Exploited Vulnerabilities

This month “MVPower DVR Remote Code Execution” is still holding 1st place as the most common exploited vulnerability, impacting 45% of organizations globally. The second most popular exploited vulnerability is “OpenSSL TLS DTLS Heartbeat Information Disclosure”, closely followed by “Web Server Exposed Git Repository Information Disclosure” impacting 40% and 39% of organizations respectively.

MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

Top Malware Families – Mobile

This month, the top three malware families completely changed, with PreAmo in 1st place as the most prevalent Mobile malware, followed by Necro and Hiddad.

PreAmo – PreAmo is an Android Malware imitates the user by clicking on banners retrieved from three ad agencies: Presage, Admob, and Mopub.
Necro – Necro is an Android Trojan Dropper. It can download other malware, showing intrusive ads and stealing money by charging paid subscriptions.
Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

April 2020’s Most Wanted Malware

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Dridex rises to 1st place, impacting 4% of organizations globally, followed by XMRig and Agent Tesla impacting 4% and 3% of organizations worldwide respectively.

↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild in May 2017.
↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 46% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%. In 3rd place the “Command Injection Over HTTP Payload” vulnerability impacted 40% of organizations worldwide, mostly seen in attacks exploiting a zero-day vulnerability in “DrayTek” routers and switch devices (CVE-2020-8515).

↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↑ Command Injection Over HTTP Payload – A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
Top malware families – Mobile

This month xHelper is still holding 1st place as the most prevalent mobile malware, followed by Lotoor and AndroidBauts.

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalls itself if it is uninstalled.
Lotoor – Lotoor is a hacking tool which exploits vulnerabilities on the Android operating system to gain root privileges on compromised mobile devices.
AndroidBauts – AndroidBauts is an Adware that targets Android users. It exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.

March 2020’s Most Wanted Malware

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month XMRig remains in 1st place, impacting 5% of organizations globally, followed by Jsecoin and Dridex impacting 4% and 3% of organizations worldwide respectively.

↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild on May 2017.
↑ Jsecoin– Jsecoin is a web-based cryptominer, designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user’s computational resources to mine coins, thus impacting the system performance.
↑ Dridex – Dridex is a Banking Trojan that targets the Windows platform, and is delivered by spam campaigns and exploit kits, which rely on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system and can also download and execute additional modules for remote control.
Top exploited vulnerabilities

This month the “MVPower DVR Remote Code Execution” remains the most common exploited vulnerability, impacting 30% of organizations globally, closely followed by “PHP php-cgi Query String Parameter Code Execution” with a global impact of 29%. In 3rd place “OpenSSL TLS DTLS Heartbeat Information Disclosure” is impacting 27% of organizations worldwide.

↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ PHP php-cgi Query String Parameter Code Execution – A remote code execution vulnerability that has been reported in PHP. The vulnerability is due to the improper parsing and filtering of query strings by PHP. A remote attacker may exploit this issue by sending crafted HTTP requests. Successful exploitation allows an attacker to execute arbitrary code on the target.
↓ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
Top malware families – Mobile

This month xHelper retained the 1st place in the most prevalent mobile malware, followed by AndroidBauts and Lotoor.

xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstall itself in case if uninstalled.
AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.
Lotoor – A hacking tool that exploits vulnerabilities on Android operating systems to gain root privileges on compromised mobile devices.

February 2020’s Most Wanted Malware

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month, XMRig moved up to first place, impacting 7% of organizations globally, followed by Emotet and Jsecoin impacting 6% and 5% of organizations worldwide respectively.

↑ XMRig – XMRig is an open-source CPU mining software used for mining the Monero cryptocurrency, and was first seen in-the-wild on May 2017.
↓ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be primarily a banking Trojan, but recently has been used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence, and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↑Jsecoin – Jsecoin is a web-based crypto-miner designed to perform online mining of Monero cryptocurrency when a user visits a particular web page. The implanted JavaScript uses a large amount of the end user machines¿ computational resources to mine coins, thus impacting the system performance.
Top exploited vulnerabilities

This month, the “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, impacting 31% of organizations globally, closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 28%. In the 3rd place “PHP DIESCAN information disclosure” vulnerability impacting 27% of organizations worldwide.

↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
↔ PHP DIESCAN information disclosure- An information disclosure vulnerability has been reported in the PHP pages. Successful exploitation could lead to the disclosure of sensitive information from the server.
Top malware families- Mobile

This month xHelper retained the 1st place in the most prevalent mobile malware, followed by Hiddad and Guerrilla.

↔ xHelper- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
↑ Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
↓ Guerrilla– Guerrilla is an Android Trojan found embedded in multiple legitimate apps and is capable of downloading additional malicious payloads. Guerrilla generates fraudulent ad revenue for the app developers.

January 2020’s Top 3 ‘Most Wanted’ Malware:

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month, XMRig moved up to first place, impacting 7% of organizations globally, followed by Emotet and Jsecoin impacting 6% and 5% of organizations worldwide respectively.

This month xHelper retained the 1st place in the most prevalent mobile malware, followed by Hiddad and Guerrilla.