The Check Point Research has released its latest Global Threat Index for April 2021. According to the researchers, Agent Tesla made its debut on the list, ranking number two, while the well-known Dridex Trojan remained the most prevalent malware.
Dridex, a Trojan targeting Windows systems, went viral this past month with its QuickBooks Malspam campaign: phishing emails attempted to dupe users with fake payment notifications and invoices. The email request the download of a malicious Microsoft Excel attachment that could infect the system with Dridex.
This malware often plays a part in the initial act of a ransomware attack, where hackers are encrypting an organization's data before demanding money.
These hackers are increasingly using two-stage blackmail techniques, where they steal sensitive data from an organization and threaten to make the stolen data public unless the ransom is paid.
For the first time, Agent Tesla has made it to number two on the malware list: it is an enhanced RAT (Remote Access Trojan) that has been active since 2014, stealing keystroke logging data and passwords. This month has seen an increase in the number of Agent Tesla campaigns spreading malicious spam.
The content of the email asks for a file downloaded, which can result in the system infection with Agent Tesla.
Check Point Research has also pointed out that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability. Followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)”, and the third is “MVPower DVR Remote Code Execution.”
The top three malicious programs are:
The Dridex banking Trojan is a program targeted to computers running Windows operating systems downloaded as an attachment to spam emails. Dridex contacts a remote server to send information about the infected system and download and run additional modules for remote management.
2 AGENT TESLA
Agent Tesla: an enhanced Remote Access Trojan that steals keystroke data and information. It monitors and collects input to the victim's keyboard and system clipboard, captures screenshots, and extracts personal data from various software installed on the victim's computer (such as Google Chrome, Mozilla Firefox, and Microsoft Outlook email client).
Trickbot is a modular banking and botnet malware. This is a highly flexible malware that can be distributed as part of a multi-target campaign.
And the top three vulnerabilities are:
1- Web Server Exposed Git Repository Information Disclosure – A reported data leakage vulnerability in the Git Repository that could expose information about a user account.
2 – HTTP Headers Remote Code Execution– the client and server use HTTP headers to transmit additional information via HTTP requests. A remote attacker could exploit a vulnerable HTTP header and execute arbitrary code on the victim machine.
3 – MVPower DVR Remote Code Execution – Vulnerability allows remote code execution on an MVPower DVR device. Hackers could exploit this vulnerability to execute arbitrary code on the compromised router via a crafty request.
You can find the complete list of malware families on the Check Point Blog.