Check Point The most common malware October 2021: Trickbot


Check Point Research, its Threat Intelligence division Check Point Software Technologies, a leading provider of cyber security solutions worldwide, published the Global Threat Index for October 2021.

Researchers say that the modular botnet and banking trojan, Trickbot, remains at the top of the list of the most common malware, affecting 4% of organizations worldwide, while "Apache HTTP Server Directory Traversal" has entered the top ten list of the vulnerabilities exploited. CPR also reveals that the sector that receives the most attacks is Education / Research.

Do you really need security software on your devices?

Trickbot can steal financial information, account credentials and personal data, as well as spread through the network by distributing ransomware. From abolition of Emotet In January, Trickbot topped the list of the most common malware five times. It is constantly updated with new features, features and distribution methods, which allows it to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns.

The new vulnerability, "Apache HTTP Server Directory Traversal", entered the top ten of the list of vulnerabilities for October, ranking tenth. When it was first discovered, Apache developers released fixes for CVE-2021-41773 on Apache HTTP Server 2.4.50. However, the repair was deemed insufficient and the directory crossing vulnerability still exists on Apache HTTP Server. Successfully exploiting this vulnerability could allow an attacker to gain access to arbitrary files on the affected system.

"Apache vulnerability came to light only in early October and is already among the top ten vulnerabilities with the most exploits worldwide, which shows how fast the perpetrators are moving. "This vulnerability could lead to URLs being assigned to files outside of the expected document root path, launching a path traversal attack," said Maya Horowitz, VP Research at Check Point Software. "It is imperative that Apache users have the right protection technologies. This month, Trickbot, which is often used to dispose of ransomware, is once again the most common malware. Globally, one in 61 organizations is affected by ransomware each week. This is a shocking percentage and companies need to do more. "Many attacks start with a simple email, so educating users on how to identify a potential threat is one of the most important defenses an organization can develop."

The CPR also revealed this month that Education / Research is the industry with the most attacks worldwide, followed by those in Communications and Government / Military.

"Web Servers Malicious URL Directory Traversal" is the most commonly exploited vulnerability, affecting 60% of organizations worldwide, followed by "Web Server Exposed Git Repository Information Disclosure" which affects 55% of organizations worldwide, while HTTP Headers Remote Code Execution ”remains in third place on the list of most frequently exploited vulnerabilities, with a global impact of 54%.

Top malware families

* The arrows refer to the change of the ranking in relation to the previous month.

 

This month, Trickbot is the most popular malware affecting 4% of organizations worldwide, followed by XMRig with 3% and Remcos with 2%.

  1. Trickbot - Trickbot is a modular Botnet and Banking Trojan that is constantly updated with new features, capabilities and distribution channels. This allows Trickbot to be a flexible and customizable malware that can be distributed as part of multipurpose campaigns.

 

  1. XMRig - XMRig is an open source CPU mining software used for the Monero cryptocurrency mining process and first appeared in May 2017.
  2. Remcos Remcos is a RAT that first appeared in the wild in 2016. Remcos is distributed through malicious Microsoft Office documents that attach to SPAM emails and is designed to bypass Microsoft Windows UAC security and run malware with high level privileges.

Top attacks worldwide by industry:

This month, Education / Research is the industry with the most attacks worldwide, followed by Communications and Government / Military.

  1. Education / Research
  2. Communications
  3. Government / Army

The most exploitable vulnerabilities   

This month, Web Servers Malicious URL Directory Traversal is the most commonly exploited vulnerability, affecting 60% of organizations worldwide, followed by Web Server Exposed Git Repository Information Disclosure, which affects 55% of organizations worldwide . "HTTP Headers Remote Code Execution" remains at the third place in the list of the most frequently exploited vulnerabilities, with a global impact of 54%.

  1. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) - Exists a vulnerability in the traversal directory on various web servers. The vulnerability is due to an entry validation error on a web server that does not properly clear the URL for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
  2. Ser Web Server Exposed Git Repository Information Disclosure- A vulnerability has been reported in the Git Repository. Successfully exploiting this vulnerability could allow account information to be disclosed.
  3. HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) - HTTP headers allow the client and server to transmit additional information with an HTTP request. A remote intruder can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.

Top Malware for mobile phones

This month, xHelper remains at the forefront of the most prevalent mobile malware, followed by AlienBot and XLoader.

  1. xHelper - A malicious application observed in nature since March 2019, which is used to download other malicious applications and display ads. The application is capable of being hidden from the user and can even be reinstalled in case it has been uninstalled.
  2. AlienBot - The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder, as a first step, to enter malicious code into legitimate financial applications. The attacker gains access to the victims' accounts and eventually takes full control of their device.
  3. XLoader XLoader is an Android Spyware and Banking Trojan developed by Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android applications to collect personal and financial information.

The top 10 in Greece

Malware name Global Impact Impact on Greece
Nanocore 1.28% 5.62%
Remcos 2.39% 5.33%
Trickbot 4.26% 4.44%
Vidar 0.95% 3.25%
Joker 0.08% 2.96%
XMRig 2.56% 2.66%
xHelper 0.64% 2.66%
XLoader 0.45% 2.37%
Danabot 0.43% 2.37%
Triada 0.20% 2.07%
RigEK 0.52% 2.07%
Guloader 0.68% 2.07%

 

The top 10 Malware families per country

NanoCore- NanoCore is a Remote Access Trojan, first detected in 2013 and targeting users of the Windows operating system. All versions of RAT have basic add-ons and features such as screen capture, cryptocurrency mining, remote desktop control and webcam session theft.

Remcos - Remcos is a RAT that first appeared in 2016. Remcos is distributed through malicious Microsoft Office documents that attach to SPAM emails and is designed to bypass Microsoft Windowss UAC security and run malware with high level privileges.

Trickbot - Trickbot is a modular Botnet and Banking Trojan that targets Windows platforms and is mainly transmitted via spam or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute modules arbitrarily from a wide range of available, such as a VNC module for remote use or an SMB module for deployment within an affected network. Once a machine is infected, the threat agents behind Trickbot malware use this wide range of modules not only to steal bank credentials from the target computer, but also for lateral movement and recognition within the organization itself, before a targeted attack. ransomware throughout the company.

Vidar - Vidar is an infolstealer that targets Windows operating systems. First detected in late 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar has been sold on various online forums and a malware dropper has been used to download GandCrab ransomware as its secondary load.

Joker - An android Spyware on Google Play, designed to steal SMS messages, contact lists and device information. In addition, the malware silently signs the victim for premium services on advertising sites.

XMRig - XMRig, first introduced in May 2017, is an open source CPU mining software used to extract Monero cryptocurrency.

xHelper- A malicious application that has been in use since March 2019 and is used to download other malicious applications and display ads. The application is capable of being hidden from the user and reinstalled in case it has been uninstalled.

XLoader - XLoader is an Android Spyware and Banking Trojan developed by Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android applications in order to collect personal and financial information.

Danabot - Danabot is a Trickler that targets the Windows platform. The malware sends information to its control server and downloads and decrypts a file to run on the infected computer. According to information, the downloaded drive can download other malicious files to the network. In addition, the malware creates a shortcut in the user's boot folder to ensure that it stays on the infected system.

Triada -Triada is a modular backdoor for Android that provides super-user privileges for downloading malware. Triada has also been observed to falsify URLs loaded in the browser.

Rig EK - The Rig EK was first introduced in April 2014. Since then it has received several major updates and continues to be active to this day. In 2015, as a result of an internal dispute between its administrators, the source code was leaked and has been thoroughly investigated by researchers. Rig provides Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirect to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.

Guloader - Guloader is a download program that has been widely used since December 2019. When it first appeared, GuLoader was used to download Parallax RAT, but has been applied to other remote access trojans and information thieves such as Netwire, FormBook and Agent Tesla.

Check Point Software's Global Threat Impact Index and ThreatCloud Map are based on the company's ThreatCloud intelligence division. ThreatCloud provides real-time threat information from hundreds of millions of sensors worldwide, through networks, endpoints, and mobile devices. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the Intelligence & Research department of Check Point Software Technologies.

The full list of the top 10 malware families in October is available at blog of Check Point.

Registration in iGuRu.gr via Email

Enter your email to subscribe to the email notification service for new posts.


Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News iGuRu.gr at Google news