IcedID enters the Top 10 of the most widespread malware in March after the campaign linked to Covid By Data Manager Online Editorial Team - April 15, 2021 Share

CheckPoint Research reports that IcedID entered the ranking of the most widespread malware for the first time, occupying the second place globally and the third at the Italian level Check Point Research, the Threat Intelligence division of Check Point Software Technologies Ltd., published the Global Threat Index for March 2021. The researchers reported that the IcedID banking trojan entered the ranking for the first time, ranking in second place. while the established Dridex Trojan was the most prevalent malware during March, up from 7th in February.

First seen in 2017, IcedID spread rapidly in March through various spam campaigns, hitting 11% of companies globally. One of the most popular campaigns used the Covid-19 theme to trick new victims into opening malicious email attachments; most of these attachments are Microsoft Word documents with a macro used to download the IcedID installer. Once installed, the Trojan attempts to steal account information, payment credentials and other sensitive information from users' PCs. IcedID also uses other malware to spread, and has been used as an initial stage of infection in ransomware operations. "IcedID has been around for a few years, but has recently been used extensively, showing that cybercriminals are continuing to adapt their techniques to take advantage of companies, using the pandemic as a hook," said Maya Horowitz, Director, Threat Intelligence & Research, Products of Check Point. “IcedID is a particularly evasive Trojan that uses a variety of techniques to steal financial data, so companies need to be sure they have robust security systems in place to prevent their networks from being compromised and to minimize risk. Comprehensive training for all employees is essential, so that they are equipped with the necessary skills to identify the types of malicious emails that spread IcedID and other malware. "

Read also: Italy is the second most attacked state in the European Union

Check Point Research also warns that "HTTP Headers Remote Code Execution (CVE-2020-13756)" is the most commonly exploited vulnerability, impacting businesses globally by 45%, followed by "MVPower DVR Remote Code Execution" with a 44% impact on companies around the world. “Dasan GPON Router Authentication Bypass (CVE-2018-10561)” ranks third on the list of most exploited vulnerabilities, with a global impact of 44%. In Italy, the most prevalent malware in March was Ursnif, a trojan that targets the Windows platform and steals information about the Verifone Point-of-Sale (POS) payment software, with an impact of 76.11% on Italian companies; Dridex, a banking trojan that targets the Windows platform, and which relies on WebInjects to intercept and redirect bank credentials to a server controlled by the criminal, with an impact of 60.09% on Italian companies; and IcedID, which had a 52.12% impact on Italian companies. The three most prevalent malware in March were: * The arrow refers to the change in position with respect to the previous month's ranking This month, Dridex is the most prevalent malware with a global impact of 16% on businesses, followed by IcedID and Lokibot affecting 11% and 9% of companies worldwide, respectively. 1. ↑ Dridex - Dridex is a trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and run arbitrary modules received from the remote server. 2. ↑ IcedID - IcedID is a banking Trojan spread by email spam campaigns and uses evasive techniques such as process injection and steganography to steal users' financial data. 3. ↑ Lokibot - Lokibot is an Info Stealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as the passwords of CryptoCoin wallets and FTP servers.

Read also: Cybersecurity 2020: Italy plagued by malware

Most exploited vulnerabilities of March: * The arrow refers to the change in position with respect to the previous month's ranking This month "HTTP Headers Remote Code Execution (CVE-2020-13756)" is the most exploited vulnerability, impacting 45% of companies globally, followed by "MVPower DVR Remote Code Execution" which affects 44% of companies around the world. "Dasan GPON Router Authentication Bypass (CVE-2018-10561)" is in third place with an imp global act of 44%. 1. ↑ HTTP Headers Remote Code Execution (CVE-2020-13756) - allows the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine. 2. ↑ MVPower DVR Remote Code Execution - remote code execution vulnerability in MVPower DVR devices. An attacker can remotely exploit this flaw to execute arbitrary code on the affected router via a specially created request. 3. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) - authentication bypass vulnerability exists in GPON Dasan routers. Successful exploitation of this vulnerability would allow remote criminals to obtain sensitive information and gain unauthorized access to the affected system. The three most popular mobile malware of March: This month Hiddad remains in first place, followed by xHelper and FurBall. 1. Hiddad - Android malware that repackages legitimate apps and then delivers them to a third-party store. Its main function is to display ads, but it is also able to access key security data, integrated into the operating system, allowing the attacker to obtain sensitive user data. 2. xHelper - a malicious Android application, identified in March 2019, used to download other malicious apps and display advertisements. It is able to hide itself from the user and mobile antivirus programs, and reinstalls itself if the user uninstalls it. 3. FurBall - FurBall is an Android MRAT (Mobile Remote Access Trojan) which is distributed by APT-C-50, an Iranian APT group linked to the Iranian government. This malware has been used in multiple campaigns dating back to 2017, and is still active today. FurBall's capabilities include stealing SMS messages, call logs, surroundings recording, call recording, media gathering, location tracking, and more.

Read also: Security: Doxing attacks targeting companies on the rise

Check Point's ThreatCloud Map and Global Threat Impact Index leverage the company's ThreatCloud intelligence, the largest network that works against cybercriminals and provides data on threats and attack trends through a global network of sensors of threats. ThreatCloud's database inspects over 3 billion websites and 600 million files, and identifies more than 250 million malware activities every day.