TRENDS 
 

The top attacker country was China with 3815 unique attackers (37%). This represents an important increase of 5% comparing to previous week. 

The top Exploit event was Miscellaneous with 55% of occurrences. 
The top Trojan C&C server detected was Formbook with an increase of 2% of new IP addresses comparing to last week. 

TOP ATTACKER COUNTRIES 

COUNTRY 

OCCURRENCES 

PERCENTAGE% 

China 

3815 

37% 

United States 

1638 

16% 

Vietnam 

481 

5% 

India 

460 

5% 

France 

431 

4% 

Republic of Korea 

428 

4% 

United Kingdom 

406 

4% 

Brazil 

402 

4% 

Indonesia 

371 

4% 

Russia 

268 

3% 

Taiwan 

257 

3% 

Thailand 

218 

2% 

Canada 

179 

2% 

Italy 

169 

2% 

Germany 

160 

2% 

Mexico 

155 

2% 

Netherlands 

143 

1% 

Hong Kong 

119 

1% 

Singapore 

114 

1% 

 

 
 

TOP ATTACKER HOSTS 

HOST 

OCCURRENCES 

116.118.253.189 

23 

1.234.9.100 

19 

218.92.0.138 

19 

209.97.189.146 

18 

169.57.37.248 

15 

187.84.223.50 

13 

218.92.0.138 

13 

62.171.157.47 

13 

190.3.183.49 

10 

 

TOP NETWORK ATTACKERS 

ORIGIN AS                     

COUNTRY   

NAME: 

AS4837 

China 

China Unicom Hebei province network 

AS208666 

Netherlands 

XEMU 

AS237 

United States 

Merit Network Inc 

AS63949 

United States 

Linode 

AS19318 

United States 

Interserver, Inc 

AS199883 

United Kingdom 

ArubaCloud Limited 

TOP EVENTS NIDS AND EXPLOITS 


REMOTE ACCESS TROJAN C&C SERVERS FOUND 
 

 

MALWARE 

WEEK 14 

FORMBOOK 

8992 

EMOTET 

4695 

LOKIBOT 

3049 

AZORULT 

1534 

NANOCORE 

1455 

DANABOT 

1351 

URSNIF 

1126 

PONY 

977 

NJRAT 

755 

REMCOS 

604 

AGENT TESLA 

597 

ADWIND 

467 

NETWIRE 

443 

PREDATOR THE THIEF 

421 

SMOKE LOADER 

415 

TRICKBOT 

306 

AVEMARIA 

288 

GANDCRAB 

266 

VIDAR 

228 

HAWKEYE 

218 

REVENGE 

196 

QUASART RAT 

185 

HANCITOR 

145 

GLUPTEBA 

104 

RACOON 

95 

DRIDEX 

88 

FLAWEDAMMYY 

59 

ICEID 

63 

ORCUS RAT 

43 

GOOTKIT 

39 

NEMTY 

29 

WANNACRY 

21 

TROLDESH 

SODINOKIBI 

Comparing to last week: 

 
 

COMMON MALWARE 

MD5 

Typical Filename 

Claimed Product 

Detection Name 

47b97de62ae8b2b927542aa5d7f3c858 

qmreportupload.exe 

qmreportupload 

Win.Trojan.Generic::in10.talos 

8c80dd97c37525927c1e549cb59bcbf3 

eternalblue-2.2.0.exe 

N/A 

W32.85B936960F.5A5226262.auto.Talos 

aa9bb66a406b5519e2063a65479dab90 

output.148937912.txt 

N/A 

Win.Dropper.Generic::vv 

7c38a43d2ed9af80932749f6e80fea6f 

wup.exe 

N/A 

PUA.Win.File.Coinminer::1201 

88cbadec77cf90357f46a3629b6737e6 

FlashHelperServices.exe 

Flash Helper Services 

PUA.Win.File.2144flashplayer::tpd 


CVES FOR WHICH PUBLIC EXPLOITS HAVE BEEN DETECTED 

CVE 

DESCRIPTION 

CVSS SCORE 

CVE-2020-4198 

IBM Tivoli Netcool/OMNIbus_GUI 8.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 174909. 

V3.1: 5.4 MEDIUM 

V2: 3.5 LOW 

CVE-2020-5403 

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response. 

   

(not available) 

CVE-2020-5404 

The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects. 

(not available) 

CVE-2020-1893 

Insufficient boundary checks when decoding JSON in TryParse reads out of bounds memory, potentially leading to DOS. This issue affects HHVM 4.45.0, 4.44.0, 4.43.0, 4.42.0, 4.41.0, 4.40.0, 4.39.0, versions between 4.33.0 and 4.38.0 (inclusive), versions between 4.9.0 and 4.32.0 (inclusive), and versions prior to 4.8.7. 

(not available) 

0 Comments
Thursday, April 2, 2020 By john