January 2024 Top Malware

Active since at least 2017, the VexTrio colludes with dozens of partners to spread malicious content through a sophisticated TDS. Using a system similar to legitimate affiliate marketing networks, its activities VexTrio are often difficult to track down and, despite being active for more than six years, the scale of its activities has gone largely unnoticed. This is because there is little evidence linking it to specific threat actors or attack chains, making it a significant cyber security risk due to its extensive network and advanced functions.

“Cybercriminals have evolved from simple hackers to architects of deception and the VexTrio it's another reminder of how commercially minded the industry has become," she said Maya Horowitz, vice president of research Check Point Software. “To stay secure, individuals and organizations should prioritize regular cybersecurity updates, use strong endpoint protection, and foster a culture of vigilance in online practices. By staying informed and proactive, we can collectively strengthen our defenses against the evolving risks posed by emerging cyber threats."

For the first time, her Index Check Point now includes a ranking of the most popular groups ransomware based on activity from more than 200 "defamation sites". Last month, the lockbit3 was the most prevalent group ransomware, responsible for 20% of published attacks. He claimed responsibility for a number of notable incidents in January, including an attack on the sandwich chain Subway and in the hospital Saint Anthony on Chicago.

Furthermore, the CPR revealed that the world's most exploited vulnerability is the "Command Injection Over HTTP", which affects 44% of organizations, followed by "Web Servers Malicious URL Directory Traversal", which affects 41%, and the "HTTP Headers Remote Code Execution" with a global impact of 40%.

Top malware families

*The arrows refer to the change in ranking compared to the previous month.

The FakeUpdates was the most prevalent malware last month with a 4% impact on global organizations, followed by Qbot with a global impact of 3% and the Formbook with a global impact of 2%.

1. ↔ FakeUpdates - The FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before launching them. The FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.

2. ↑ Qbot - The Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal Cookies from browsers, spy on banking activities and develop additional malware. It is often distributed through spam email, the Qbot uses various techniques anti-VM, anti-debugging and anti-sandbox to block analysis and avoid detection. Starting in 2022, it emerged as one of the most popular Trojans.

3. ↓ Formbook - The Formbook is a info stealer targeting the operating system Windows and was first detected in 2016. It is marketed as malware as a service (Malware-as-a-Service - MaaS) in underground forums hacking for its powerful avoidance techniques and its relatively low price. The Formbook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by C&C of.

Top Exploited vulnerabilities 

Last month, the "Command Injection About HTTP" was the most commonly exploited vulnerability, with impacts 44% of organizations worldwide, followed by "Website Servers Malicious URL Directory traverse" with 41% and the "HTTP Headers Remote Code Execution" with a global impact of 40%.

1. ↑ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) - A Command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

2. ↔ Website Servers Malicious URL Directory traverse (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) - There is a vulnerability in the directory traverse In various website servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.

3. ↑ HTTP Headers Remote Code Execution - The HTTP headers allow to client and server to pass additional information with a request HTTP. A remote attacker can use a vulnerable header HTTP to execute arbitrary code on the victim's machine.

Top Mobile Malware

Last month the Anubis remained in the top spot as the most prevalent mobile malware, followed by AhMyth and Hiddad.

1. Anubis - The Anubis is a banking malware Trojan which is designed for mobile phones Android. Since it was first identified, it has acquired additional functions such as operation Remote Access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.

2. AhMyth - The AhMyth is a Trojan remote access (RAT) discovered in 2017. Distributed via apps Android which can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, take screenshots, send messages SMS and activating the camera, which is commonly used to steal sensitive information.

3. Hiddad - The Hiddad is a malware Android which repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.

Top-attacked Your products globally

Last month, Education/Research remained the number one industry attacked globally, followed by Government/Military and Healthcare.

1. Education / Research

2. Government/Military

3. Health

Top Ransomware Groups

This section includes information drawn from nearly 200 ransomware “defamation sites” operated by double-extortion groups ransomware, 68 of which released the names and information of their victims this year. Cybercriminals use these sites to pressure victims who do not pay the ransom immediately. Data from these sites carry their own biases, but still provide valuable insight into the ecosystem of ransomware, which is the number one business risk today.

Last month, the lockbit3 was the most widespread group ransomware, responsible for 20% of published attacks, followed by 8Base responsible for it 10%, and the Akira responsible for it 9%”.

1. lockbit3 - Η lockbit3 is a group ransomware, which operates on a model RaaS and was first reported in September 2019. It targets large businesses and government agencies from various countries and does not target individuals in Russia or the Commonwealth of Independent States.

2. 8basis - Threat Group 8Base it's a gang ransomware which has been active since at least March 2022. It gained significant reputation in mid-2023 due to the remarkable increase in its activities. This group has been observed using several variations ransomware, with common element the Phobos. The 8Base it works with a level of sophistication, which is evidenced by the use of advanced techniques in ransomware her. The group's methods include double blackmail tactics.

3. Akira - Ransomware, first reported in early 2023, targets both systems Windows as well as in systems Linux. It uses symmetric encryption with CryptGenRandom and Nanny 2008 for file encryption and is similar to Ransomware Conti v2 that leaked. The Akira distributed through various means, including infected attachments Email and exploits at endpoints VPN. After infection, it encrypts data and adds an extension “. akira” in the filenames, and then presents a ransom note demanding payment for decryption.

The full list of the top ten malware families in January is here on her blog Check Point.