FormBook Displaces Emotet, GuLoader-Joker Subverts Cursor

Check Point Research (CPR) – the its Threat Intelligence research department Check Point Software Technologies Ltd., a provider of global cyber security solutions – released its latest Global Threat Index (Global Threat Index) for August 2022.

CPR reports that FormBook is now the most prevalent malware, overtaking Emotet, which has owned it since its re-emergence last January.

The FormBook it is a info stealer targeting the operating system Windows, which once deployed, can collect credentials and screenshots, monitor and record keystrokes, and download and execute files according to command and control orders (C&C). Since it was first spotted in 2016, it has continued its course promoted as Malware-as-a-Service (MaaS) in underground forums hacking Ms. is known for her strong evasion techniques and relatively low price of.

August also saw a rapid increase in its activity GuLoader, making it the fourth most widespread malware. The GuLoader was originally used to download it Parallax RAT, but has since been applied to others Trojans remote access and infostealers, like the netwire, FormBook and Agent Tesla. It is usually distributed through extensive phishing campaigns, which trick the victim into downloading and opening a malicious file, allowing the malware to proceed with his work.

Furthermore, the Check Point Research states that Joker, a spyware for Android, is back in action and ranked third on the list of top mobile malware for the month of August. Once installed the Joker, can intercept messages SMS, contact lists and device information, as well as to register the victim for paid services premium without his consent. Its rise can be partly explained by the rise of campaigns, as it has recently been found to be active in some its applications Google Play Store.

“The changes we see in the August Index, from Emotet which dropped from first to fifth place until the Joker which became the third most prevalent mobile malware, reflect how quickly the threat landscape can change,” said Maya Horowitz, VP Research in Check Point Software. “This should remind both individuals and companies of the importance of being informed about the latest threats, as knowing the protection capabilities is essential. Threat actors are constantly evolving and so is its appearance FormBook shows that we can never be complacent about security and must take a holistic approach, prioritizing prevention across networks, endpoints and cloud".

Η CPR also revealed that in August the education/research sector continues to be the most targeted industry by cybercriminals worldwide. With the branches

government/military and healthcare to rank second and third as the most attacked. The "Apache log4j Remote -- Execution” returns to the top spot as the most exploited vulnerability, affecting 44% of organizations worldwide since surpassing “Website Server & Hosting Exposed Go Repository Information Disclosure” which had an impact of 42%.

Top malware families

* The arrows refer to the change of the ranking in relation to the previous month.

The FormBook is the most prevalent malware for the month of August affecting 5% of organizations worldwide, followed by agent Tesla with an incidence of 4% and the XMRig with 2%.

1. ↑ Formbook - The Formbook it is a infostealer which collects credentials from various web browsers, collects screenshots, monitors and records keystrokes and can download and execute files on command C&C.
2. ↑ agent Tesla -The Agent Tesla is an advanced one RAT that works as keylogger and infostealer, which is capable of monitoring and collecting the victim's typing and system keyboard, receive screenshots and extract credentials from various software installed on the victim's computer (including Google Chrome, Mozilla Firefox and Microsoft Outlook Email client).
3. ↓ XMRig -The XMRig it's software CPU open source used to mine the cryptocurrency Monero. Threat actors often abuse this open source software by incorporating it into their malware to conduct illegal mining on Appliances of the victims.
   

Top domains under attack worldwide

This month the education/research sector remained in first place as the most attacked sector worldwide, followed by the government/military sector and healthcare.

1. Education / Research

2. Government / Army

3. Health

Top Exposed Vulnerabilities

This month, the "Apache log4j Remote -- Execution" is the most common exploited vulnerability, affecting 44% of organizations worldwide, followed by "Website Server & Hosting Exposed Go Repository Information Disclosure", which dropped from first place to second place with a 42% impact. The "Website Servers Malicious URL Directory traverse" remains in third place, with a global impact of 39%.

1. ↑ Apache log4j Remote -- Execution (CVE-2021-44228) - A remote code execution vulnerability exists in Apache log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
2. ↓ Website Server & Hosting Exposed Go Repository Information Disclosure -An information disclosure vulnerability was reported in the Go Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
3. ↔ Website Servers Malicious URL Directory traverse (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - A folder bypass vulnerability exists on various web servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.

Top Malicious Mobile Apps

This month the AlienBot is the most common mobile malware followed by Anubis and Joker.

1. AlienBot - The AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). Supports keylogging, dynamic overlays for credential theft, as well as collection SMS to bypass 2FA. Additional remote control capabilities are provided using a unit TeamViewer.
2. Anubis -Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first detected, it has acquired additional functions such as Remote Access Trojan (RAT) functions, keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different apps available in the Google Store.
3. Joker - An Android spyware on Google Play designed to steal SMS messages, contact lists and device information. In addition, the malware can also sign up the victim for paid premium services without their consent or knowledge.

The Global Threat Impact Index and ThreatCloud Map of Check Point Software, based on ThreatCloud intelligence of the company, which provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. The ThreatCloud intelligence enriched with engines based on AI and exclusively research data from Check Point Research, the Department market & Research of Check Point Software Technologies.

The full list of the top 10 malware families in August 2022 can be found at blog of Check Point.