Beware of Valak Variant Malware – Advice From Check Point Researchers

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cybersecurity solutions globally, has published its latest Global Threat Index for September 2020. Researchers found that an updated version of Valak malware has entered the Index for the first time, ranking as the 9th most prevalent malware in September.

First observed in late 2019, Valak is a sophisticated threat which was previously classified as a malware loader. In recent months, new variants were discovered with significant functional changes which enable Valak to operate as an information-stealer capable of targeting both individuals and enterprises. This new version of Valak is able to steal sensitive information from Microsoft Exchange mail systems, as well as users’ credentials and domain certificates. During September, Valak was spread widely by malspam campaigns containing malicious .doc files.

Get NordVPN

The Emotet trojan remains in 1st place in the Index for the third month in succession, impacting 14% of organisations globally. The Qbot trojan, which entered the listing for the first time in August, was also widely used in September, rising from 10th to 6th in the index.

The research team also warns that “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organisations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organisations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” had a global impact of 36%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet remains the most popular malware with a global impact of 14% of organisations, followed by Trickbot and Dridex impacting 4% and 3% or organisations worldwide respectively.

  1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was originally a banking Trojan, but recently is used as a distributor of other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↑ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customisable malware that can be distributed as part of multi purposed campaigns.
  3. ↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.

Top exploited vulnerabilities

This month “MVPower DVR Remote Code Execution” is the most common exploited vulnerability, impacting 46% of organisations globally, followed by “Dasan GPON Router Authentication Bypass” which impacted 42% of organisations worldwide. “OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346)” is in third place, with a global impact of 36%.

  1. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability that exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  2.  Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorised access into the affected system.
  3. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Top mobile malware families 

This month xHelper is the most popular mobile malware, followed by Xafecopy and Hiddad.

  1. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
  2. Xafekopy – Xafecopy Trojan is disguised as useful apps like Battery Master. The Trojan secretly loads malicious code onto the device. Once the app is activated, the Xafecopy malware clicks on web pages with Wireless Application Protocol (WAP) billing – a form of mobile payment that charges costs directly to the user’s mobile phone bill.
  3. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 2.5 billion websites and 500 million files daily, and identifies more than 250 million malware activities every day.

The complete list of the top 10 malware families in September can be found on the Check Point Blog. Check Point’s Threat Prevention Resources are available at  http://www.checkpoint.com/threat-prevention-resources/index.html.

Leave a Comment