Emotet and Qbot crack the list of most widespread malware – November 2022

Η Check Point Software Technologies Ltd, a global cybersecurity solutions provider, has released its latest Global Threat Index for November 2022. This month we see the return of Emotet, an ambitious Trojan malware that took a brief hiatus during the summer season.

Qbot's move to third place for the first time since July 2021, with a global impact of 4%, while there was a notable increase in attacks by Raspberry Robin, a sophisticated worm that typically uses malicious USB drives to infect machines.

malware death

In July 2022, Check Point Research (CPR) reported a significant reduction in Emotet's global influence and activity, suspecting that his absence would only be temporary. As predicted, self-propagating Trojan malware is back on the index, reaching second place as the most prevalent malware in November, impacting 4% of organizations worldwide. While Emotet started out as a banking trojan, its modular design has allowed it to evolve into a distributor for other types of malware, and is usually spread through phishing campaigns. Emotet's increased prevalence could be partly contributed to a series of new malicious spam campaigns launched in November designed to distribute the payloads of the IcedID banking trojan.

Also, for the first time since July 2021, Qbot, a bank-stealing Trojan, made it to third place on the top malware list, with an overall impact of 4%. The attackers behind the malware are financially motivated cybercriminals who steal financial data, banking credentials and web browser information from infected and compromised systems. Once perpetrators of Qbot attacks manage to infect a system, they install a backdoor to grant access to ransomware operators, leading to double extortion attacks. In November Qbot exploited a Windows Zero-Day vulnerability to give attackers full access to infected networks.

This month has also seen an increase in the appearance of Raspberry Robin, a sophisticated worm that uses malicious USB drives containing Windows shortcut files that look legitimate but actually infect victims' machines. THE Microsoft found out that it has evolved from a widespread worm into an infectious platform for the distribution of malware, linked to other malware families and alternative methods of infection beyond the original USB drive spread.

“While some sophisticated malware can lie dormant during a quiet period, the past few weeks are a stark reminder that they won't lie dormant for long. We can't afford to be complacent, so it's important that everyone remains vigilant when opening emails, clicking links, visiting websites or sharing personal information,” said Maya Horowitz, VP Research at Check Point Software.

CPR also revealed that “Web Malicious URL Directory Traversal” is the most commonly exploited vulnerability, affecting 46% of organizations worldwide, closely followed by “Web Server Exposed Git Repository Information Disclosure” with 45% impact. In November education/research also remained in first place as the most attacked sector globally.

TOP malware families

* The arrows refer to the change of the ranking in relation to the previous month.

  1. agent Tesla – AgentTesla is an advanced RAT that acts as and information thief. It is able to monitor and collect the victim's keyboard input, system keyboard, take screenshots and extract credentials on various software installed on the victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook).
  2. Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has used as a distributor to other malicious programs or malicious campaigns. It uses multiple methods to maintain persistence and evasion techniques to avoid detection. Additionally, it can be spread through phishing spam emails that contain malicious attachments or links.
  3. Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008, designed to steal a user's banking details and keystrokes. It is often distributed via spam messages and uses various anti-VM, anti-debugging and anti-sandbox techniques to prevent analysis and avoid detection.

The sectors with the most attacks

This month, Education/Research remains the most attacked industry globally, followed by Government/Military and then Healthcare.

  1. Education / Research
  2. Government / Army
  3. Health

The most exploited vulnerabilities

This month, “ Web Servers Malicious URL Directory Traversal ” is the most commonly exploited vulnerability, impacting 46% of organizations worldwide, followed by “ Web Server Exposed Git Repository Information Disclosure ” impacting 45%. “HTTP Headers Remote Code Execution” is still the third most frequently used vulnerability with an impact of 42%

  1. Development Servers Malicious URL Directory traverse (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthorized remote attackers to expose or gain access to arbitrary files on the vulnerable server.
  2. Development Server & Hosting Exposed Go Repository Information Disclosure - A vulnerability was reported in the Git Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
  3. HTTP Headers Remote -- Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.

TOP Mobile Malware

This month Anubis remains the most prevalent mobile malware, followed by Hydra and AlienBot.

  1. Anubis – Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first detected, it has acquired additional functions such as Remote Access Trojan (RAT) functions, keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different apps available in the Google Store.
  2. Hydra– Hydra is a banking Trojan designed to steal funding credentials by asking victims to enable dangerous privileges.
  3. AlienBot - AlienBot is a banking Trojan for Android, sold underground as Malware-as-a- (MaaS). Supports keylogging, dynamic overlays for credentials as well as SMS collection to bypass 2FA. Additional remote control capabilities are provided using a TeamViewer module.
Find top 10 per country
Malware_Family_Name global impact Country Impact (Greece)
Qbot 4.34% 11.11%
SnakeKeylogger 3.15% 10.83%
Emotet 4.44% 10.54%
Formbook 2.63% 5.41%
Icedid 2.02% 5.41%
agent Tesla 5.89% 5.41%
XMRig 3.13% 5.13%
Esfury 1.17% 3.70%
Teabot 0.08% 3.42%
AZORult 0.41% 3.13%

Check Point Software's Global Threat Impact Index and ThreatCloud Map, based on ThreatCloud the company's intelligence, which provides real-time, threat intelligence from hundreds sensors worldwide, across networks, endpoints and mobile phones. ThreatCloud intelligence is enriched with AI-driven data and exclusive research data from Check Point Research, the Intelligence & Research division of Check Point Software Technologies.

The full list of the top 10 malware families in October 2022 is at blog of Check Point.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
emotet, Qbot, malware

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).