April 2023 Top Malware

Η Check Point Research unveiled a major campaign malspam for Trojan Qbot, which ranked second in last month's threat index. Meanwhile, the malware Internet-of-Things (IoT) Mirai returned to the list for the first time in a year, and healthcare became the second most exploited industry.

Η Check Point Software Technologies Ltd., a global cybersecurity solutions provider, has released its Global Threat Index for April 2023. Last month, researchers uncovered a major, malicious campaign spam of Qbot which was distributed through malicious files PDF, which are attached to email messages post officey that appear in many languages. Meanwhile, the malware Internet-of-Things (IoT) Mirai made the list for the first time in a year after exploiting a new vulnerability in TP-Link routers and health care rose to the second most exploited industries.

The campaign Qbot that we saw last month involves a new delivery method where targets are sent an email with an attached file containing protected files PDF. Once these are downloaded, the malware Qbot installed on the device. The researchers found instances of the malicious message being sent in many different languages, meaning organizations can be targeted globally.

Last month also returned the Mirai, one of the most popular malware IoT. Researchers discovered that a new zero-day vulnerability was being exploited CVE-2023-1380 to attack TP-Link routers and add them to botnet of, which was used to facilitate some of the most disruptive, distributed attacks DDoS that have been recorded. This latest campaign follows an extensive report published by Check Point Research (CPR) about with the prevalence of attacks IOT.

There was also a shift in the industries affected, with healthcare overtaking government as the second most exploited sector in April. Attacks on health care institutions have been well documented and some countries still face ongoing attacks. For example, the team cybercriminals Medusa recently launched attacks on anti-cancer facilities in Australia. The industry remains a lucrative target for hackers, giving them potential access to confidential patient data and payment information. This could have implications for pharmaceutical companies, as it could lead to leaks about clinical trials or new medical drugs and devices.

“Cybercriminals are constantly devising new methods to circumvent restrictions, and these campaigns are further evidence of how malware is adapting to survive. With the Qbot attacked again, serves as another reminder of the importance of having comprehensive cybersecurity and due diligence when it comes to trusting the origin and intent of an email," said Maya Horowitz, VP Research in Check Point Software.

Η CPR also revealed that the vulnerability “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, affecting 48% of organizations worldwide, followed by “Apache Log4j Remote Code Execution” with 44% and the “HTTP Headers Remote Code Execution” with a global impact of 43%.

Top malware families

* The arrows refer to the change of the ranking in relation to the previous month.

The agent Tesla was the most prevalent malware last month impacting over 10% of global organizations respectively, followed by Qbot and Formbook with a 4% global impact.

1. ↑ agent Tesla - The agent Tesla is an advanced one RAT that works as keylogger and information thief, which is capable of monitoring and collecting the victim's keyboard input, the system keyboard, taking screenshots, and extracting credentials to various software installed on the victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

2. ↓ Qbot - The Qbot AKA Qakbot is a banking Trojan which first appeared in 2008. It was designed to steal a user's bank details and keystrokes. It is often distributed through spam email, the Qbot uses various techniques anti-VM, anti-debugging and anti-sandbox to prevent analysis and avoid it detection.

3. ↔ Formbook - The Formbook it is a info stealer targeting the operating system Windows and was first detected in 2016. It is marketed as malware as a service (Malware-as-a-Service - MaaS) in underground forums hacking for its powerful avoidance techniques and its relatively low price. The FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by C&C of.

Top industries under attack worldwide

Last month, the education/research remained the industry with the most attacks globally, followed by health care and government/military sector.

1. Education / Research
2. Health
3. Government / Army

Top Exploited Vulnerabilities

Last month, the vulnerability "Website Servers Malicious URL Directory traverse" was the most exploited vulnerability, affecting the 48% of organizations worldwide, followed by "Apache log4j Remote -- Execution" with 44% and "HTTP Headers Remote -- Execution" with global impact 43%.

1. ↑ Website Servers Malicious URL Directory traverse – There is a directory bypass vulnerability in various web servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.

2. ↓ Apache log4j Remote -- Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.

3. ↓ Remote Code Execution HTTP Headers (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.

Top Malicious Mobile Apps

Last month, the Ahmyth rose to the top spot as the most prevalent mobile malware, followed by Anubis and Hiddad.

1. AhMyth - The AhMyth it is a Trojan remote access (RAT) discovered in 2017. Distributed via apps Android which can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, take screenshots, send messages SMS and activating the camera.

2. Anubis - The Anubis it is a malicious bank Trojan which is designed for mobile phones Android. Since it was first identified, it has acquired additional functions, including functions Remote Access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.

3. Hiddad - The Hiddad is a malware Android that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.

Its Global Threat Impact Index Check Point and ThreatCloud Map they rely on intelligence ThreatCloud of Check Point. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. Intelligence is enhanced with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point Software Technologies.

The full list of the top ten malware families in April is on her blog Check Point.