Check Point The most common malware October 2021: Trickbot

Check Point Research, its Threat Intelligence division Check Point Software Technologies, a leading provider of cyber security solutions worldwide, published the Global Threat Index for October 2021.

Researchers say that the modular botnet and banking trojan, Trickbot, remains at the top of the list of the most common malware, affecting 4% of organizations worldwide, while "Apache HTTP Server Directory Traversal" has entered the top ten list of the vulnerabilities exploited. CPR also reveals that the sector that receives the most attacks is Education / Research.

Do you really need security software on your devices?

Trickbot can steal financial information, account credentials and personal data, as well as spread through the network by distributing ransomware. From abolition of Emotet in January, Trickbot has topped the list of most widespread malware five times. It is constantly updated with new ones , features and distribution methods, which allows it to be a flexible and adaptable malware that can be distributed in the context of multi-purpose campaigns.

The new vulnerability, "Apache HTTP Server Directory Traversal", entered the top ten of the list of vulnerabilities for October, ranking tenth. When it was first discovered, Apache developers released fixes for CVE-2021-41773 on Apache HTTP Server 2.4.50. However, the repair was deemed insufficient and the directory crossing vulnerability still exists on Apache HTTP Server. Successfully exploiting this vulnerability could allow an attacker to gain access to arbitrary files on the affected system.

“The Apache vulnerability only came to light in early October and is already among the top ten most exploited vulnerabilities worldwide, which shows how quickly the attackers are moving. This vulnerability could lead to URLs being mapped to files outside of the expected document path (document root), unleashing path traversal," said Maya Horowitz, VP Research at Check Point Software. "It is imperative that of Apache have the appropriate protection technologies. This month, Trickbot, which is often used to drop ransomware, is again the most prevalent malware. Globally, one in 61 organizations is affected by ransomware every week. This is a shocking number and companies need to do more. Many attacks start with a simple email, so the of users on how to identify a potential threat is one of the most important defenses an organization can develop."

The CPR also revealed this month that Education / Research is the industry with the most attacks worldwide, followed by those in Communications and Government / Military.

"Web Servers Malicious URL Directory Traversal" is the most commonly exploited vulnerability, affecting 60% of organizations worldwide, followed by "Web Server Exposed Git Repository Information Disclosure" which affects 55% of organizations worldwide, while HTTP Headers Remote Code Execution ”remains in third place on the list of most frequently exploited vulnerabilities, with a global impact of 54%.

Top malware families

* The arrows refer to the change of the ranking in relation to the previous month.

 

This month, Trickbot is the most popular malware affecting 4% of organizations worldwide, followed by XMRig with 3% and Remcos with 2%.

  1. Trickbot - Trickbot is a modular Botnet and Banking Trojan that is constantly updated with new features, capabilities and distribution channels. This allows Trickbot to be a flexible and customizable malware that can be distributed as part of multipurpose campaigns.

 

  1. XMRig - XMRig is an open source CPU mining software used for the Monero cryptocurrency mining process and first appeared in May 2017.
  2. Remcos Remcos is a RAT that first appeared in the wild in 2016. Remcos is distributed through malicious Microsoft Office documents that attach to SPAM emails and is designed to bypass Microsoft Windows UAC security and run malware with high level privileges.

Top attacks worldwide by industry:

This month, Education / Research is the industry with the most attacks worldwide, followed by Communications and Government / Military.

  1. Education / Research
  2. Communications
  3. Government / Army

The most exploitable vulnerabilities   

This month, Web Servers Malicious URL Directory Traversal is the most commonly exploited vulnerability, affecting 60% of organizations worldwide, followed by Web Server Exposed Git Repository Information Disclosure, which affects 55% of organizations worldwide . "HTTP Headers Remote Code Execution" remains at the third place in the list of the most frequently exploited vulnerabilities, with a global impact of 54%.

  1. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) - Exists a vulnerability in the traversal directory on various web servers. The vulnerability is due to an entry validation error on a web server that does not properly clear the URL for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
  2. Ser Web Server Exposed Git Repository Information Disclosure- A vulnerability has been reported in the Git Repository. Successfully exploiting this vulnerability could allow account information to be disclosed.
  3. HTTP Headers Remote -- Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) - HTTP headers allow the client and server to transmit additional information with an HTTP request. A remote intruder can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.

Top Malware for mobile phones

This month, xHelper remains at the forefront of the most prevalent mobile malware, followed by AlienBot and XLoader.

  1. xHelper - A malicious application observed in nature since March 2019, which is used to download other malicious applications and display ads. The application is capable of being hidden from the user and can even be reinstalled in case it has been uninstalled.
  2. AlienBot - The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder, as a first step, to enter malicious code into legitimate financial applications. The attacker gains access to the victims' accounts and eventually takes full control of their device.
  3. XLoader XLoader is an Android Spyware and Banking Trojan developed by Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android applications to collect personal and financial information.

The top 10 in Greece

Malware name Global Impact Impact on Greece
Nanocore 1.28% 5.62%
Remcos 2.39% 5.33%
Trickbot 4.26% 4.44%
Vidar 0.95% 3.25%
Joker 0.08% 2.96%
XMRig 2.56% 2.66%
xHelper 0.64% 2.66%
XLoader 0.45% 2.37%
Danabot 0.43% 2.37%
Triada 0.20% 2.07%
RigEK 0.52% 2.07%
Guloader 0.68% 2.07%

 

The top 10 Malware families per country

NanoCore- NanoCore is a remote Trojan , which was first noticed in 2013 and targets Windows OS users. All versions of RAT have basic add-ons and features such as screen recording, cryptocurrency mining, remote desktop control and webcam session stealing.

Remcos - Remcos is a RAT that first appeared in 2016. Remcos is distributed through malicious Microsoft Office documents that attach to SPAM emails and is designed to bypass Microsoft Windowss UAC security and run malware with high level privileges.

Trickbot -Trickbot is a modular Botnet and Banking Trojan that targets Windows platforms and is mainly delivered via spam or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a wide range of available ones, such as a VNC module for remote use or an SMB module for spreading within an affected network. Once a machine is infected, the threat actors behind the Trickbot malware use this wide range of modules not only to steal banking credentials from the target computer, but also to later and recognition within the organization itself, before a targeted company-wide ransomware attack.

Vidar -Vidar is an infostealer that targets Windows operating systems. First detected in late 2018, it is designed to steal passwords, credit card data and other sensitive information from various programs web and digital wallets. Vidar has been sold on various online forums and used as a malware dropper that downloads GandCrab ransomware as its secondary payload.

Joker - An android Spyware on Google Play, designed to steal SMS messages, contact lists and device information. In addition, the malware silently signs the victim for premium services on advertising sites.

XMRig - XMRig, first introduced in May 2017, is an open source CPU mining software used to extract Monero cryptocurrency.

xHelper- A malicious application that has been in use since March 2019 and is used to download other malicious applications and display ads. The application is capable of being hidden from the user and reinstalled in case it has been uninstalled.

XLoader - XLoader is an Android Spyware and Banking Trojan developed by Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android applications in order to collect personal and financial information.

Danabot -Danabot is a Trickler targeting the Windows platform. The malware sends information to the server of and downloads and decrypts a file to run on the infected computer. The downloaded unit may reportedly download other malicious files to the network. In addition, the malware creates a shortcut in the user's startup folder to achieve its stay on the infected system.

Triada -Triada is a modular backdoor for Android that provides super-user privileges for downloading malware. Triada has also been observed to falsify URLs loaded in the browser.

Rig EK - The Rig EK was first introduced in April 2014. Since then it has received several major updates and continues to be active to this day. In 2015, as a result of an internal dispute between its administrators, the source code was leaked and has been thoroughly investigated by researchers. Rig provides Exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirect to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.

Guloader - Guloader is a download program that has been widely used since December 2019. When it first appeared, GuLoader was used to download Parallax RAT, but has been applied to other remote access trojans and information thieves such as Netwire, FormBook and Agent Tesla.

Check Point Software's Global Threat Impact Index and ThreatCloud Map are based on the company's ThreatCloud intelligence division. ThreatCloud provides real-time threat information from hundreds of millions of sensors worldwide, through networks, endpoints, and mobile devices. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the Intelligence & Research department of Check Point Software Technologies.

The full list of the top 10 malware families in October is available at blog of Check Point.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
Check Point

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).