May 2020’s Most Wanted Malware: Ursnif Banking Trojan Ranks On Top 10 Malware List for First Time, Over Doubling Its Impact On Organisations
Check Point’s researchers find sharp increase in attacks using the long-running Ursnif banking trojan capable of stealing email and banking credentials
Check Point Research, the Threat Intelligence arm of Check Point Software Technologies Ltd. has published its latest Global Threat Index for May 2020. Researchers found several malicious spam campaigns distributing the Ursnif banking trojan, which caused it to jump up 19 places to 5th in the Top Malware list, doubling its impact on organisations worldwide.
The Ursnif banking trojan targets Windows PCs and is capable of stealing vital financial information, email credentials and other sensitive data. The malware is delivered in malicious spam campaigns via Word or Excel attachments. The new wave of Ursnif trojan attacks – which saw it enter the Top Malware index’s top 10 for the first time – coincides with reports about the demise of one of its popular variants, Dreambot. Dreambot was first spotted in 2014 and is based on Ursnif’s leaked source code. As reported since March 2020, Dreambot’s backend server has gone down, and no new Dreambot samples have been seen in the wild.
Meanwhile, the well-known banking trojan Dridex, which entered the malware top 10 for the first time in March, continued to have a significant impact throughout May, remaining in 1st place for the second month running. The most prevalent mobile malware families also completely changed in May, with Android malware that generates fraudulent revenue from clicking on mobile adverts dominating the mobile index – showing how criminals are trying to monetise attacks against mobile devices. “With the Dridex, Agent Tesla and Ursnif banking trojans all ranking in the malware top 5 in May , it is clear cyber criminals are focusing on using malware that enables them to monetise their victim’s data and credentials,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point. “While COVID-19-related attacks have fallen, we have seen a 16% increase in overall cyber-attacks in May compared to March and April, so organisations must remain vigilant by using certain tools and techniques, especially with the mass shift to remote working, which attackers are taking advantage of.”
Top malware families
* The arrows relate to the change in rank compared to the previous month.
This month Dridex remains in 1st place, impacting 4% of organisations globally, followed by Agent Tesla and XMRig, both impacting 3% of organisations worldwide.
1. ↔ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
2. ↑ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which capable of monitoring and collecting the victim’s keyboard input, system clipboard, taking screenshots, and exfiltrating credentials belonging to of a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).
3. ↓ XMRig – XMRig is open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild on May 2017.