The results of Fortinet Threat Intelligence Insider Latin America for the fourth quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. In the last quarter of the year, the region suffered more than 9 billion attempts to attack, totaling 85 billion in 2019.
The report also reveals the most common infections in Latin America and the Caribbean:
As we have seen throughout the year, DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in the region. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in Latin America, affecting companies and individuals alike. DoublePulsar is mainly targeted to banks and financial service companies.
The Emotet botnet (aimed at attacking mostly banks) reappears prominently in FortiGuard detections for the fourth quarter, and Latin America provides a 45% presence of this botnet globally.
Emotet is a Trojan malware that targets Windows platform. It contacts Command and Control servers via HTTP or HTTPS requests. A remote attacker can issue commands to the malware to perform different operations. Emotet can download and install additional malware such as ransomware.
FortiGuard detected relevant threats aimed at Cryptocurrency in Latin America and the Caribbean this fourth quarter of 2019. Here are some examples of this trend:
Different variations of malware, trojans and exploits for ransomware are still very active in Latin America.
How to defend from such multi-pronged attacks?
W32/Generic_PUA_MC.FXK is classified as a file infector. A file infector is a type of malware that has the capability to propagate by attaching its code to other programs or files.
W32/CrypterX.1A93!tr is classified as a trojan. Its activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
W32/VB.DSQ!tr.dldr is classified as a downloader trojan. Downloader Trojan has the capability to download other malicious files or an updated version of itself.
Cisco.Adaptive.Security.Appliance.SIP.Handling.DoS This indicates an attack attempt to exploit a Denial of Service Vulnerability in Cisco Adaptive Security Appliance and Cisco Firepower Threat Defence. The vulnerability is due to an error in the vulnerable application when handling a maliciously crafted SIP request. An attacker can cause a denial of service condition within the context of the application, via a crafted SIP request.
SMB.Login.Brute.Force This indicates a detection of at least 500 failed SAMBA logins in one minute which indicate a possible SAMBA logins brute force attack. Affected Microsoft Windows Operating Systems.
Memcached.UDP.Amplification.Detection This indicates an attack attempt against an UDP Amplification flaw on the Memcached protocol. The vulnerability is due to an error in the vulnerable application when handling a series of maliciously crafted requests. An attacker can exploit this to cause a denial of service condition on the affected machine via maliciously crafted requests. The signature detects for 50 suspicious requests within 1 second.
Andromeda.Botnet Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
Emotet.Cridex.Botnet This indicates that a system might be infected by Emotet Botnet. Emotet is a Trojan that targets Windows This indicates that platform. It contacts C&C servers via HTTP or HTTPS requests. Emotet can download and install additional malware such as ransomware or infostealer. Emotet is a variant of Cridex malware.
XorDDOS.Botnet This indicates that a system might be infected by XorDDOS Botnet. XorDDOS is a trojan that performs DDOS attacks on a specified IP and port.