Banking trojans roar back to prominence in May

Attacks exploiting banking trojans such as Agent Tesla, Dridex and Ursnif increased sharply during May 2020, according to Check Point’s threat intelligence arm, Check Point Research, which recently published its monthly Global threat index report, with Ursnif in particular more than doubling its impact on organisations worldwide, leaping up to fifth place in the malware ‘charts’.

Ursnif, which targets Windows PCs and steals financial data and email credentials, is being delivered via Microsoft Word or Excel attachments through spam campaigns, and its increased activity in May coincided with reports about the demise of one of its more popular variants, Dreambot, which disappeared in March after its back-end server dropped off the web.

Dridex, the suspected Russian creators of which were indicted by the US government in 2019, entered the malware top 10 for the first time in March and rose swiftly to the top spot in both April and May, said Check Point.

Distributed in a similar manner to Ursnit, Dridex exfiltrates information on the systems it infects to a remote command and control (C2) server, and can download and execute arbitrary modules received back from it.

“With the Dridex, Agent Tesla and Ursnif banking trojans all ranking in the malware top five in May, it is clear cyber criminals are focusing on using malware that enables them to monetise their victim’s data and credentials,” said Maya Horowitz, director of threat intelligence and research for products at Check Point.

“While Covid-19-related attacks have fallen, we have seen a 16% increase in overall cyber attacks in May compared to March and April, so organisations must remain vigilant by using certain tools and techniques, especially with the mass shift to remote working, which attackers are taking advantage of.”

Dridex affected about 4% of organisations globally in May, followed by Agent Tesla, an advanced remote access trojan (RAT) that functions as a keylogger and information stealer, and XMRig, an open source CPU cryptominer, infecting 3% of organisations.

Horowitz said she had also observed some changes in the most prevalent mobile malware families during May, with cyber criminals trying to better monetise attacks on smartphone devices by increasing their use of fraudulent ad clickers, a variety of malware that imitates a user’s touchscreen input to generate revenue by clicking on ads.

Meanwhile, the top exploited vulnerability in May was a remote code execution vulnerability that exists in MVPower DVR devices and enables hackers to execute arbitrary code in the affected router using a crafted request, and affects 45% of organisations globally.

The second most common exploit was the OpenSSL TLS DTLS Heartbeat information disclosure vulnerability, dating back to 2014, to which about 40% remain vulnerable, while in third place was another information disclosure vulnerability in Git Repository.

The data used in Check Point’s report was drawn from its ThreatCloud intelligence network, a collaborative crime-fighting network that derives threat data and attack trends from a worldwide sensor network. It inspects more than 2.5 billion websites and 500 million files, and identifies over 250 million malware activities on an average day.