Check Point's Global Threat Impact Index and ThreatCloud Map are based on Check Point's ThreatCloud Intelligence, the largest collaborative cybercrime network that provides threat data and attack trends from a global network of threat sensors. The ThreatCloud database analyzes over 3 billion websites and 600 million files daily and identifies more than 250 million pieces of malware activity per day.

The Global Threat Index is still led by the Emotet Trojan. With Europol claiming to have dismantled the botnet since February, experts are now wondering whether this was a goodbye with a bang or whether the dead live longer.

Police action against Emotet

Security researchers report that the Emotet Trojan has remained in first place for the second month in a row. This is particularly interesting as an international police operation is said to have taken control of the botnet on January 27, as Europol claims. The impact of this should be visible in the next top malware for February.

The police action has already led to a 14% drop in the number of organizations affected. Now law enforcement agencies are planning to delete Emotet en masse from infected servers on April 25. Emotet was first discovered in 2014 and has been regularly updated by its developers to increase its effectiveness or adapt it to current protection measures. The United States Department of Homeland Security estimates that each incident involving Emotet has cost the affected company more than 1 million dollars (824,400 euros) to fix.

Maya Horowitz, Director Threat Intelligence and Research and Products at Check Point Software Technologies

© Check Point Software

"Emotet is one of the most sophisticated destructive malware variants ever seen. Therefore, the joint effort by law enforcement to take it down was critical and a great success," explains Maya Horowitz, Director Threat Intelligence and Research and Products at Check Point Software Technologies: "However, new threats will emerge and replace Emotet. Therefore, organizations must not become lax and must continue to ensure robust security systems. It also cannot be emphasized enough: comprehensive employee training is critical to help employees recognize the types of malicious emails that spread Trojans and bots."

Top 3: Most Wanted Malware for Germany:

Emotet was still at the top, followed by Dridex in second place. Third place was shared this time by the botnet Phorpiex and the info stealer FormBook.

Emotet is still in first place. Emotet is an advanced, self-propagating and modular Trojan. It was previously used as a banking Trojan, but is currently used to spread other malware or entire campaigns. It uses various methods to remain operational and has evasion techniques to avoid detection. It can also be spread by phishing emails containing malicious attachments or links.

2nd place: Dridex - Dridex is a banking Trojan that targets Windows systems and is spread by spam campaigns and exploit kits. These use WebInjects to intercept banking data and redirect it to a server controlled by attackers. Dridex contacts a remote server, sends information about the infected system and can download and execute additional modules for remote control.

Third place is shared by Phorpiex and FormBook.
Phorpiex is a botnet known for spreading other malware families via spam campaigns and launching extensive sextortion campaigns.

FormBook is an InfoStealer that targets the Windows operating system. It was first discovered in 2016 and is marketed on illegal hacking forums due to its strong evasion methods and relatively low price. FormBook collects login credentials from various web browsers as well as screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.

The Top 3 Most Wanted Mobile Malware:

Hiddad holds the top spot, while xhelper remains in second place. In third place is Triada.

1st place: Hiddad - Hiddad is an Android malware that repackages legitimate applications and then distributes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important security details built into the operating system.

2nd place: xhelper - A malicious Android application that has been used to download other malicious applications and display advertisements since March 2019. It is able to hide from the user and mobile antivirus programs and reinstall itself when the user uninstalls it.

3rd place: Triada - Modular backdoor Trojan against Android mobile devices that sets up full access for downloaded malware.

The top 3 most wanted vulnerabilities

The MVPower DVR Remote Code Execution vulnerability remains in first place with 43 percent global impact. It is followed by HTTP Headers Remote Code Execution (CVE-2020-13756) with 42 percent. Dasan GPON Router Authentication Bypass (CVE-2018-10561) rises to third place with 41 percent.

1st place: MVPower DVR Remote Code Execution - A gateway is created when remote code is executed in MVPower DVR devices. An attacker can exploit this remotely to execute arbitrary code in the affected router via a crafted request.

2nd place: HTTP Headers Remote Code Execution (CVE-2020-13756) - HTTP headers allow the client and server to exchange additional information via an HTTP request. A virtual attacker can abuse a vulnerable HTTP header to inject and execute their own malicious code.

3rd place : Dasan GPON Router Authentication Bypass (CVE-2018-10561) - A vulnerability that allows to bypass authentication in Dasan GPON routers. Successful exploitation of this vulnerability allows hackers to obtain sensitive information and gain unauthorized access to the affected system.