August 2019’s Most Wanted Malware: Echobot Launches Widespread Attack Against IoT Devices

Check Point’s researchers also report the Emotet botnet has been reactivated

Check Point Research has published its latest Global Threat Index for August 2019. The Research team is warning organizations of a new variant of the Mirai IoT Botnet, Echobot, which has launched widespread attacks against a range of IoT devices. First seen in May 2019, Echobot has exploited over 50 different vulnerabilities, causing a sharp rise in the ‘Command Injection Over HTTP’ vulnerability and impacted 34% of organizations globally.

August has also seen the Emotet botnet’s offensive infrastructure becoming active again, after it shut down its services two months ago. Emotet was the biggest botnet operating in the first half of 2019.  Although no major campaigns have been observed as yet, it is likely that it will be used to start spam campaigns soon.

“Echobot was first seen in mid-May, and as a new variant of the notorious Mirai IoT Botnet it’s important to note the sharp increase in exploitations, as it is now targeting over 50 different vulnerabilities. Echobot has impacted 34% of companies around the world, which shows how vital it is for organizations to ensure all patches and updates for their networks, software and IoT devices are applied,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

August 2019’s Top 3 ‘Most Wanted’ Malware:

*The arrows relate to the change in rank compared to the previous month.

This month XMRig keeps leading the top malware list, followed by Jsecoin, both with a global impact of 7%. Dorkbot is in the third place, impacting 6% of organizations worldwide.

1. ↔ XMRig– XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in-the-wild on May 2017.
2. ↔ Jsecoin – Jsecoin is JavaScript miner that can be embedded in websites. JSEcoin can run directly in users’ browsers in exchange for an ad-free experience, in-game currency and other incentives.
3. ↔ Dorkbot – Dorkbot is an IRC-based Worm designed to allow remote code execution by its operator, as well as the download of additional malware to the infected system.

August’s Top 3 ‘Most Wanted’ Mobile Malware:

This month Lotoor is the most prevalence Mobile malware, followed by AndroidBauts and Triada.

1. Lotoor– Hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.
2. AndroidBauts – Adware targeting Android users that exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third party apps and shortcuts on mobile devices.
3. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, helping them to embed into system processes. Triada has also been seen spoofing URLs in the browser. 

August’s ‘Most Exploited’ vulnerabilities:

This month, SQL Injection techniques retain first place in the top exploited vulnerabilities list, closely followed by the OpenSSL TLS DTLS Heartbeat Information Disclosure vulnerability, both impacting 39% of organizations globally. On third place MVPower DVR Remote Code Execution vulnerability with a global impact of 38% of organizations worldwide.

1. ↔ SQL Injection (several techniques) – Inserts an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
2. ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability that exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↔ MVPower DVR Remote Code Execution– A remote code execution vulnerability in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, more than 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.