The results of Fortinet Threat Intelligence Insider Latin America for the fourth quarter of 2019 reveal the continuous increasing of malware, exploits and botnet activity in Latin America and the Caribbean. In the last quarter of the year, the region suffered more than 9 billion attempts to attack, totaling 85 billion in 2019.
The report also reveals the most common infections in Latin America and the Caribbean:
As we have seen throughout the year, DoublePulsar, the backdoor used by the WannaCry ransomware, is still a mechanism for distributing malware in the region. Considering it takes advantage of already resolved vulnerabilities, its continuous use evidences the vast software footprint without updates in Latin America, affecting companies and individuals alike. DoublePulsar is mainly targeted to banks and financial service companies.
The Emotet botnet (aimed at attacking mostly banks) reappears prominently in FortiGuard detections for the fourth quarter, and Latin America provides a 45% presence of this botnet globally.
Emotet is a Trojan malware that targets Windows platform. It contacts Command and Control servers via HTTP or HTTPS requests. A remote attacker can issue commands to the malware to perform different operations. Emotet can download and install additional malware such as ransomware.
FortiGuard detected relevant threats aimed at Cryptocurrency in Latin America and the Caribbean this fourth quarter of 2019. Here are some examples of this trend:
Different variations of malware, trojans and exploits for ransomware are still very active in Latin America.
How to defend from such multi-pronged attacks?
HTML/ScrInject.OCKK!tr is classified as a trojan. Its activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
W32/FlyAgent.K!tr.bdr is classified as Trojan with backdoor properties. Backdoor Trojan has the capability to receive a remote connection from a malicious hacker and perform actions against the compromised system.
VBA/Agent.32DC!tr.dldr is a generic detection for a type of macro downloader trojan that downloads other malware onto the compromised computer.
MS.SMB.Server.Trans.Peeking.Data.Information.Disclosure This indicates an attack attempt against an Information Disclosure vulnerability in Microsoft Windows SMB server. A remote attacker can exploit this to gain unauthorized access to sensitive information via the crafted SMB request. This vulnerability has been incorporated into various tools and is used for scanning vulnerable targets that might be affected by the vulnerabilities related to Shadow Brokers leak.
Backdoor.DoublePulsar This indicates detection of DoublePulsar Backdoor. Backdoor trojans have the capability to connect remote hosts and perform actions against the compromised system. The DoublePulsar Backdoor was revealed by the Shadow Brokers leaks in March 2017 and was used in the WannaCry ransomware attack in May 2017.
Generic.DNS.Tunnel.Detection.Variant.A This indicates detection of suspicious traffics that might be from a DNS Tunnel. DNS tunnels are proxy tools that can tunnel data over DNS to bypass firewall policy. Some malware and APT attacks have used DNS tunnels to communicate with C&C servers.
Andromeda.Botnet Andromeda is a botnet that is used to distribute malware with different capabilities, depending on the command given by its command-and-control (C&C) server. The toolkit for this botnet can be obtained on the Internet underground and is constantly being updated.
njRAT.Botnet This indicates that a system might be infected by njRAT Botnet. System Compromise: Remote attackers can gain control of vulnerable systems.
Conficker.Botnet This indicates detection of network traffic outbound originating from a computer infected with the W32/Conficker worm, also known as W32.Downadup and W32.Conficker. To spread, this worm exploits the Server Service Vulnerability (CVE-2008-4250), as written in the Microsoft Security Bulletin MS08-067.