Η Check Point Software Technologies Ltd., provider of global cyber security solutions, published its Global Threat Index for February 2023. Last month the Remcos Trojan returned to the top ten list for the first time since December 2022 after it was reported to be used by threat actors to target Ukrainian government entities through attacks Phishing.
In the meantime, the Emotet Trojan and the Formbook info stealer moved up the rankings to take second and third place respectively, while Education/Research remained the most targeted sector.
Despite researchers finding a 44% drop in the average number of weekly attacks per organization between October 2022 and February 2023, Ukraine remains a popular target for cybercriminals following the Russian invasion. In the most recent campaign, the attackers, in a mass email distribution, impersonated her ukrtelecom JSC using a malicious attachment RAR, in order to spread the Remcos Trojan, which returned to the top of the malware list for the first time since October 2022.
Once installed, the tool opens a backdoor to the compromised system, allowing full access to the remote user for activities such as leaking data and executing commands. The ongoing attacks are believed to be linked to cyber espionage operations due to the patterns of behavior and offensive potential of the incidents.
“Although the number of politically motivated attacks in Ukraine has decreased, it remains a battleground for cybercriminals. Hacktivism has typically been high on the agenda of threat actors since the Russian-Ukrainian war began, and most have favored disruptive attack methods such as DDoS, to garner the most publicity. However, the latest campaign used a more traditional method of attack, using deception Phishing to obtain user information and extract data.
It is important that all organizations and government agencies follow safe security practices when receiving and opening email messages. Do not download attachments without first checking. Avoid clicking on links within the body of the email and check the sender's address for any irregularities, such as extra characters or spelling errors," said Maya Horowitz, vice president of research Check Point Software.
Η CPR also revealed that the “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, affecting 47% of organizations worldwide. Followed by “Web Server Exposed Git Repository Information Disclosure", which affected 46% of organizations worldwide, while "Apache Log4j Remote Code Execution” is the third most commonly used vulnerability, with a global impact of 45%.
Top malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The Qbot was the most prevalent malware last month impacting over 7% of global organizations respectively, followed by Formbook with 5% and Emotet with 4%.
↔ Qbot - The Qbot AKA Qakbot is a banking Trojan which first appeared in 2008. It is designed to intercept a user's banking credentials or keystrokes and is often distributed through messages spam. It Qbot uses various techniques anti-VM, anti-debugging in the upcoming years, while anti-sandbox to block analysis and avoid detection.
↑ FormBook - The FormBook it is one info stealer targeting the operating system Windows and was first identified in 2016. Available on the market as Malware as a Service (MaaS) to underground hacking Forums for its powerful avoidance techniques and its relatively low price. The Formbook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by C&C of.
↑ Emotet - The Emotet is an advanced, self-propagating and modular Trojan. It Emotet it was used as a bank Trojan, but recently it is being used as a distributor to other malware or malicious campaigns. It uses multiple methods to maintain persistence and evasion techniques to avoid detection. In addition, it can spread through emails spam containing malicious attachments or links.
Industries with the most attacks worldwide
Last month, the Education / Research remained the industry with the most attacks globally, followed by Government/Military sector and then the Health.
1. Education / Research
Excellent exploitable vulnerabilities
Last month, the “Web Servers Malicious URL Directory traverse” was the most exploited vulnerability affecting it 47% of organizations worldwide. It was followed by “Web Server & Hosting Exposed Go Repository Information Disclosure", which affected it 46% of organizations worldwide, while "Apache Log4j Remote -- Execution” is the third most frequently exploited vulnerability, with global impact 45%.
- ↑ Web Servers Malicious URL Directory traverse - A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
- ↓ Web Server & Hosting Exposed Go Repository Information Disclosure A vulnerability to disclosing information was reported in Go Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
- ↑ Apache Log4j Remote -- Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
Top Mobile Malwares
Last month the Anubis remained the most prevalent mobile malware, followed by Hiddad in the upcoming years, while AhMyth.
- Anubis - The Anubis is a banking malware Trojan which is designed for mobile phones Android. Since it was first identified, it has acquired additional functions such as operation Remote Access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.
- Hiddad - The Hiddad is a malware Android which repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
- AhMyth - The AhMyth it is one Trojan remote access (RAT) discovered in 2017. Distributed via apps Android which can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, take screenshots, send messages SMS and activating the camera.
The Overseas hubs Threat Impact Index in the upcoming years, while ThreatCloud map of Check Point Software, based on ThreatCloud intelligence of the company, which provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. The ThreatCloud intelligence enriched with data based on AI and exclusively research data from Check Point Research, the Department Intelligence & Research of Check Point Software Technologies.
The full list of the top 10 malware families in February 2023 can be found at blog of Check Point.