Check Point research reports that IcedID Banking Trojan enters top 10 in global malware index following COVID-related campaign

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd., a pioneering provider of cyber security solutions globally, has published its latest Global Threat Index for March 2021. Researchers report that the IcedID banking trojan has entered the Index for the first time, taking second place, while the established Dridex trojan was the most prevalent malware during March, up from seventh in February.

First seen in 2017, IcedID has been spreading rapidly in March via several spam campaigns, affecting 11% of organisations globally. One widespread campaign used a COVID-19 theme to entice new victims into opening malicious email attachments; the majority of these attachments are Microsoft Word documents with a malicious macro used to insert an installer for IcedID.

Once installed, the trojan then attempts to steal account details, payment credentials, and other sensitive information from users’ PCs. IcedID also uses other malware to proliferate and has been used as the initial infection stage in ransomware operations.

Evasive trojan

“IcedID has been around for a few years now but has recently been used widely, showing that cyber-criminals are continuing to adapt their techniques to exploit organisations, using the pandemic as a guise,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

“IcedID is a particularly evasive trojan that uses a range of techniques to steal financial data, so organisations must ensure they have robust security systems in place to prevent their networks being compromised and minimise risks. Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails that spread IcedID and other malware.”

CPR also warns that “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 45% of organisations globally, followed by “MVPower DVR Remote Code Execution” which impact 44% of organisations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is on third place in the top exploited vulnerabilities list, with a global impact of 44%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

Recently, Dridex is the most popular malware with a global impact of 16% of organisations, followed by IcedID and Lokibot affecting 11% and 9% of organisations worldwide respectively.

• ↑ Dridex - Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
• ↑ IcedID - IcedID is a banking Trojan spread by email spam campaigns and uses evasive techniques such as process injection and steganography to steal user financial data.
• ↑ Lokibot - Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to CryptoCoin wallets and FTP servers.

Top exploited vulnerabilities

Currently, “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most commonly exploited vulnerability, impacting 45% of organisations globally, followed by “MVPower DVR Remote Code Execution” which impacts 44% of organisations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is in third place with a global impact of 44%.

• ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) - HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
• ↑ MVPower DVR Remote Code Execution - remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
• ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) - authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorised access into the affected system.

Top mobile malwares

Hiddad took first place in the most prevalent mobile malware index, followed by xHelper and FurBall.

• Hiddad - Hiddad is an Android malware, which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
• xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display ads. The application is capable of hiding itself from the user, and can even reinstall itself after being uninstalled.
• FurBall - FurBall is an Android MRAT (Mobile Remote Access Trojan) which is deployed by APT-C-50, an Iranian APT group connected to the Iranian government. This malware was used in multiple campaigns dating back to 2017 and is still active today. Among FurBall’s capabilities are; stealing SMS messages and mobile call logs, recording calls and surroundings, collecting media files, tracking locations, and more.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 3 billion websites and 600 million files daily and identifies more than 250 million malware activities every day.