The IcedID banking trojan has entered Check Point Research’s Global Threat Index for the first time, taking second place, while the established Dridex trojan was the most prevalent malware during March, up from seventh in February.

First seen in 2017, IcedID has been spreading rapidly in March via several spam campaigns, affecting 11% of organisations globally.

One widespread campaign used a Covid-19 theme to entice new victims into opening malicious email attachments; the majority of these attachments are Microsoft Word documents with a malicious macro used to insert an installer for IcedID.

Once installed, the trojan then attempts to steal account details, payment credentials, and other sensitive information from users’ PCs.  IcedID also uses other malware to proliferate and has been used as the initial infection stage in ransomware operations.

“IcedID has been around for a few years now but has recently been used widely, showing that cyber-criminals are continuing to adapt their techniques to exploit organizations, using the pandemic as a guise,” says Maya Horowitz, director: threat intelligence and research, products at Check Point.

“IcedID is a particularly evasive trojan that uses a range of techniques to steal financial data, so organisations must ensure they have robust security systems in place to prevent their networks being compromised and minimise risks. Comprehensive training for all employees is crucial, so they are equipped with the skills needed to identify the types of malicious emails that spread IcedID and other malware.”

Check Point Research also warns that “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 45% of organisations globally, followed by “MVPower DVR Remote Code Execution” which impact 44% of organisations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is on the third place in the top exploited vulnerabilities list, with a global impact of 44%.


Top malware families

*The arrows relate to the change in rank compared to the previous month in South Africa.

This month, XMRig is the most popular malware with a global impact of 3,28% of organizations, followed by Formbook and Ryuk affecting 2,95% and 1,67% of organisations worldwide respectively.

  1. ↑ XMRig – First seen in the wild in May 2017, XMRig is an open-source CPU mining software used to mine Monero cryptocurrency.
  2. Formbook – First detected in 2016, FormBook is an InfoStealer that targets the Windows OS. It is marketed as MaaS in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
  3. ↑ Ryuk – Ryuk is a ransomware used in targeted and well-planned attacks against several organizations worldwide. The ransomware’s technical capabilities are relatively low, and include a basic dropper and a straight-forward encryption scheme. Nevertheless, the ransomware was able to cause severe damage to the targeted organizations, and led them to pay extremely high ransom payments of up to $320,000 in BitCoin. Unlike most ransomware which is distributed via massive spam campaigns and Exploit Kits, Ryuk is used exclusively for tailored attacks. Its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network and distribution is carried out manually. The malware encrypts files stored on PCs, storage servers and data centers.


Top exploited vulnerabilities

This month “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 45% of organizations globally, followed by “MVPower DVR Remote Code Execution” which impacts 44% of organizations worldwide. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” is in third place with a global impact of 44%.

  1. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
  2. ↑ MVPower DVR Remote Code Execution – remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  3. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.


Top mobile malware

Hiddad took first place in the most prevalent mobile malware index, followed by xHelper and FurBall.

  1. Hiddad – Hiddad is an Android malware, which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  2. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display ads. The application is capable of hiding itself from the user and can even reinstall itself after being uninstalled.
  3. FurBall – FurBall is an Android MRAT (Mobile Remote Access Trojan) which is deployed by APT-C-50, an Iranian APT group connected to the Iranian government. This malware was used in multiple campaigns dating back to 2017 and is still active today. Among FurBall’s capabilities are; stealing SMS messages and mobile call logs, recording calls and surroundings, collecting media files, tracking locations, and more.