April 2020’s Most Wanted Malware: Agent Tesla Remote Access Trojan Spreading Widely In COVID-19 Related Spam Campaigns

Check Point’s researchers find sharp increase in attacks using new version of Agent Tesla capable of stealing Wi-Fi passwords, while Dridex banking trojan is most common threat

Check Point Research, the Threat Intelligence arm of Check Point^® Software Technologies Ltd., a leading provider of cyber security solutions globally, has published its latest Global Threat Index for April 2020. Researchers saw several COVID-19 related spam campaigns distributing a new variant of the Agent Tesla remote access trojan, moving it up to 3^rd place in the Index, impacting 3% of organizations worldwide.

The new variant of Agent Tesla has been modified to steal Wi-Fi passwords in addition to other information – such as Outlook email credentials – from target PCs. During April, Agent Tesla was distributed as an attachment in several malicious COVID-19 related spam campaigns, which attempt to lure the victim into downloading malicious files under the cover of providing interesting information about the pandemic. One of these campaigns claimed to be sent by the World Health Organization with the subject ‘URGENT INFORMATION LETTER: FIRST HUMAN COVID-19 VACCINE TEST/RESULT UPDATE.’ This highlights how hackers will exploit global news events and public concerns to increase their attack success rates.

The well-known banking trojan Dridex, which entered the Threat Index top ten for the first time in March, had an even greater impact in April. It moved up to 1^st place in the index from 3^rd last month, impacting 4% of organizations worldwide. XMRig, March’s most prevalent malware, dropped to second place.

“The Agent Tesla malspam campaigns we saw in April underline just how agile cybercriminals can be when it comes to exploiting news events and tricking unsuspecting victims to click on an infected link,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “With both Agent Tesla and Dridex in the top three of the threat index, criminals are focusing on stealing users’ personal and business data and credentials so that they can monetize them. So it’s essential that organizations take a proactive and dynamic approach to user education, keeping their staff informed of the latest tools and techniques, particularly as more staff are now working from home.”

The research team also warns that “MVPower DVR Remote Code Execution” remained the most common exploited vulnerability, though its impact increased to cover 46% of organizations globally. This was closely followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%, followed by “Command Injection Over HTTP Payload” impacting 40% of organizations worldwide.

Top malware families
*The arrows relate to the change in rank compared to the previous month.
This month Dridex rises to 1st place, impacting 4% of organizations globally, followed by XMRig and Agent Tesla impacting 4% and 3% of organizations worldwide respectively.

1. ↑ Dridex - Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
2. ↓ XMRig - XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, first seen in the wild in May 2017.
3. ↑ Agent Tesla - Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).

Top exploited vulnerabilities
This month “MVPower DVR Remote Code Execution” was the most common exploited vulnerability, impacting 46% of organizations globally, followed by “OpenSSL TLS DTLS Heartbeat Information Disclosure” with a global impact of 41%. In 3rd place the “Command Injection Over HTTP Payload” vulnerability impacted 40% of organizations worldwide, mostly seen in attacks exploiting a zero-day vulnerability in “DrayTek” routers and switch devices (CVE-2020-8515).

1. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
2. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) - An information disclosure vulnerability which exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
3. ↑ Command Injection Over HTTP Payload - A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

Top malware families - Mobile

This month xHelper is still holding 1^st place as the most prevalent mobile malware, followed by Lotoor and AndroidBauts.

1. xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user, and reinstalls itself if it is uninstalled.
    
2. Lotoor - Lotoor is a hacking tool which exploits vulnerabilities on the Android operating system to gain root privileges on compromised mobile devices.
    
3. AndroidBauts - AndroidBauts is an Adware that targets Android users. It exfiltrates IMEI, IMSI, GPS Location and other device information and allows the installation of third-party apps and shortcuts on mobile devices.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.

Source: Check Point media announcement