Η Check Point Research states that Glupteba returned to the top ten most prevalent malware list for the first time since July 2022. The Qbot get over it Emotet as the most prevalent malware in December, while malware Android Hiddad made his comeback.
Η Check Point Software Technologies Ltd, solutions provider cyber securitys worldwide, has published its Global Threat Index for December 2022.
Last month Glupteba Malware, an ambitious blockchain-enabled trojan botnet, returned to the top ten list for the first time since July 2022, rising to eighth place. Qbot, a sophisticated Trojan that intercepts banking credentials and keystrokes, overtook Emotet to become the most widespread malware after its return last month, affecting 7% of organizations worldwide. Meanwhile, the Hiddad Android malware made a comeback and education continued to be the most affected industry globally.
Although Google managed to provoke big upset at Glupteba's functions in December 2021, it looks like this is back in action. As a modular malware variant, Glupteba can achieve several goals on an infected computer. The botnet is often used as a downloader and dropper for other malware.
This means that a Glupteba infection could lead to a ransomware infection, data breach, or other security incidents.
Glupteba is also designed to steal user credentials and session cookies from infected computers. This authentication data can be used to allow access to a user's online accounts or other systems, allowing an attacker to steal sensitive data or take other actions using these compromised accounts. Finally, malware is typically used to deploy cryptomining operations on its target, draining a computer's resources by using them to mine blocks.
In December, Hiddad also entered the top three mobile malware list for the first time in 2022. Hiddad is an ad-distributing malware that targets android devices. It repackages legitimate apps and then releases them on a third-party store. Its main function is to serve ads, but it can also access key security details built into the operating system.
“The dominant theme in our latest research is how malware often masquerades as legitimate software to give hackers backdoor access to devices without arousing suspicion. That's why it's important for us to check when we download any software and apps or click on links, no matter how genuine they look,” said Maya Horowitz, Vice President of Research at Check Point Software.
CPR also revealed that “Web Server Exposed Git Repository Information Disclosure” was the most exploited vulnerability, affecting 46% of organizations worldwide, followed by “Web Servers Malicious URL Directory Traversal” with 44% of organizations be affected globally. “Command Injection Over HTTP” is the third most commonly used vulnerability, with an impact of 43% worldwide.
The top malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The Qbot was the most prevalent malware last month with a 7% impact on global organizations, followed by Emotet with a global impact of 4% and the XMRig with a global impact of 3%.
- ↑ Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user's banking information and keystrokes. It is often distributed via spam email. Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to block analysis and avoid detection.
- ↔ Emotet – Emotet is an advanced, self-replicating and modular Trojan. Emotet was used as a banking Trojan and has recently been used as a distributor for other malware or malicious campaigns. He uses multiple methods to maintain his persistence and evasion techniques to avoid detection. Additionally, it can spread through spam phishing emails that contain malicious attachments or links.
- ↑ XMRig – XMRig is open source CPU mining software used to mine Monero cryptocurrency. Threat actors often abuse this open source software by integrating it into their malware to conduct illegal mining on victims' devices
The most attacked industries worldwide
Last month, the Education / Research remained the industry with the most attacks globally, followed by Government/Military sector and then the Health.
- Education / Research
- Government/Military
- Health
The most exploited vulnerabilities
In December, the " Website Server & Hosting Exposed Go Repository Information Disclosure " was the most exploited vulnerability affecting it 46% of organizations worldwide. She was followed by " Website Servers Malicious URL Directory traverse " with 44% of organizations to be affected globally. THE "Command Injection About HTTP" is the third most frequently exploited vulnerability, with impact 43% worldwide.
- ↑ Web Server & Hosting Exposed Go Repository Information Disclosure - A vulnerability has been reported in the Git Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
- ↓ Web Servers Malicious URL Directory traverse (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error on a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthorized remote attackers to expose or gain access to arbitrary files on the vulnerable server.
- ↑ Command Injection About HTTP (CVE-2021-43936,CVE-2022-24086) – An HTTP command injection vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
Top Malicious Mobile Apps
Last month the Anubis remained the most prevalent mobile malware, followed by Hiddad and AlienBot.
- Anubis – Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first detected, it has acquired additional functions such as Remote Access Trojan (RAT) functions, keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different apps available in the Google Store.
- Hiddad – Hiddad is an Android malware that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
- AlienBot - AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credential theft as well as SMS collection to bypass 2FA. Additional remote control capabilities are provided using a TeamViewer module.
| TOP 10 malware ανά χώρα | ||
| Malware_Family_Name | global impact | Country Impact |
| Qbot | 7.29% | 10.27% |
| agent Tesla | 1.23% | 5.95% |
| Emotet | 4.38% | 4.05% |
| Formbook | 2.26% | 4.05% |
| XMRig | 3.25% | 2.43% |
| Hail Mary | 0.37% | 2.16% |
| Ramnit | 1.46% | 1.89% |
| Remcos | 1.45% | 1.89% |
| SnakeKeylogger | 0.54% | 1.89% |
| Nanocore | 1.54% | 1.62% |
| Teabot | 0.07% | 1.62% |
| Cryptonite | 0.89% | 1.62% |
| Amadey | 0.65% | 1.62% |
Check Point Software's Global Threat Impact Index and ThreatCloud Map, based on ThreatCloud her intelligence companys, which provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones.
ThreatCloud intelligence is enriched with AI-driven data and exclusive research data from Check Point Research, the Intelligence & Research division of Check Point Software Technologies.
The full list of the top 10 malware families in December 2022 is at blog of Check Point.
