Researchers have discovered a resurgence of malware Qbot, which was detected in attempts Phishing aimed at the hospitality industry. Meanwhile, the FakeUpdates downloader rose to the top spot
Η Check Point Software Technologies Ltd. provider of global cybersecurity solutions, has released its Global Threat Index for December 2023. Researchers have identified the re-emergence of Qbot, four months after its infrastructure was dismantled by US and international security authorities as part of the Operation Duck Hunt in August 2023. Meanwhile, the JavaScript downloader FakeUpdates rose to the top spot and Education remained the most affected sector globally.
Last month, the malware Qbot was used by cybercriminals as part of a small-scale phishing attack targeting organizations in the hospitality sector. In campaign, researchers discovered that the hackers faked the IRS and sent malicious emails containing attached files PDF with embedded addresses URL which was associated with an installer of it Microsoft.
Once activated, this activated an invisible version of him Qbot which leveraged a built-in dynamic link library (DLL). Before its abolition in August, the Qbot dominated the threat index as one of the three most prevalent malware for 10 consecutive months. Although he is not back on the list, the next couple of months will determine if he regains the fame he once had.
In the meantime, the FakeUpdates continued its rise to the top after re-emerging in late 2023, reaching the top spot with a global impact of 2%. The Nanocore also maintained a position in the top five for six consecutive months, taking third place in December, while there were new entries from Ramnit and Glupteba.
"Seeing it Qbot in the news less than four months after its distribution infrastructure was dismantled is a reminder that while we can disrupt malicious malware campaigns, the perpetrators behind them will adapt with new technologies," said Maya Horowitz, vice president of research Read our BuurtBankjes Factsheet XNUMX Point Software. "This is why organizations are encouraged to take a proactive approach to endpoint security and conduct due diligence on the origin and intent of an email."
Η CPR also revealed that the vulnerabilities “Apache Log4j Remote Code Execution (CVE-2021-44228) and “Web Servers Malicious URL Directory Traversal,” were the most exploited vulnerabilities affecting 46% of organizations worldwide. The "Zyxel ZyWALL Command Injection (CVE-2023-28771)” closely followed with a global impact of 43%.
Table of Contents
Best malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The FakeUpdates and Formbook were the most prevalent malware last month with impact 2% in global organizations, followed by Nanocore with global impact 1%.
- ↑ FakeUpdates - The FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before executing them. The FakeUpdates may lead to further compromise through additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
- ↓ Formbook - The Formbook it is a info stealer targeting the operating system Windows and was first identified in 2016. Available on the market as Malware-as-a-Service (MaaS) to underground hacking forums for its powerful avoidance techniques and its relatively low price. The Formbook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to commands from C&C of.
- ↑ Nanocore - The Nanocore it is a Trojan remote access targeting OS users Windows and was first observed in the wild in 2013. All its releases RAT contain essential plugins and features such as screen recording, cryptocurrency mining, remote desktop control and session hijacking webcam.
Best Exploited vulnerabilities
Last month, the vulnerabilities "Apache log4j Remote Code Execution (CVE-2021-44228) ” and "Web Servers Malicious URL Directory traverse" were the most exploited vulnerabilities affecting it 46% of organizations worldwide, followed by "Zyxel ZyWALL Command Injection (CVE-2023-28771) ” with global impact 43%.
- ↑ Apache log4j Remote Code Execution (CVE-2021-44228) - Remote code execution vulnerability in Apache log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
- ↔ Web Servers Malicious URL Directory traverse (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) - Directory traversal vulnerability in various websites servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
- ↔ Zyxel ZyWALL Command Injection (CVE-2023-28771) - A command injection vulnerability exists in the Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary operating system commands on the affected system.
Top Mobile Malwares
Last month the Anubis remained in the top spot as the most prevalent mobile malware, followed by AhMyth and Hiddad.
- Anubis - The Anubis is a banking malware Trojan designed for mobile phones Android. Since it was first identified, it has acquired additional functions, including functions Remote Access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.
- AhMyth - The AhMyth it is a Trojan remote access (RAT) discovered in 2017. Distributed via apps Android which can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, take screenshots, send messages SMS and activating the camera, which is commonly used to steal sensitive information.
- Hiddad - The Hiddad is a malware Android that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
The industries with the most attacks worldwide
Last month, the Education / Research remained the industry with the most attacks worldwide, followed by Communications and Government/Military sector.
- Education / Research
- Communications
- Government / Army
Its Global Threat Impact Index Read our BuurtBankjes Factsheet XNUMX Point and the Map ThreatCloud are fed to it by the intelligence service ThreatCloud of Read our BuurtBankjes Factsheet XNUMX Point. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. The intelligence service is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research division of Check Point Software Technologies.
The full list of the top ten malware families in December is on her blog Read our BuurtBankjes Factsheet XNUMX Point.