May 2024 Most common malware

Researchers have uncovered a campaign with the Phorpiex botnet being used to spread ransomware through millions of phishing emails. Meanwhile, the Lockbit3 Ransomware group has bounced back after a brief hiatus, accounting for a third of published ransomware attacks

malware death

H Check Point® Software Technologies Ltd., an AI-powered, cloud-delivered cybersecurity platform provider, has released its Global Threat Index for May 2024. Last month, researchers uncovered a malspam campaign orchestrated by the Phorpiex botnet. The millions of phishing emails sent contained LockBit Black – based on LockBit3 but not linked to the Ransomware group. In an unrelated development, the actual LockBit3 ransomware-as-a-Service (RaaS) group rose rapidly in prevalence after a brief hiatus following a global takedown by law enforcement, accounting for 33% of published attacks.

The original operators of the Phorpiex botnet shut down and sold the source code in August 2021. However, in December 2021, Check Point Research (CPR) discovered that it had re-emerged as a new variant called “Twizt”, which operated on a decentralized peer-to-peer model. In April this year, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) found evidence that the Phorpiex botnet, which ranked sixth in last month's threat index, was being used to send millions of phishing emails as part of a LockBit3 ransomware campaign. These emails brought attached ZIP files, which, when the deceptive .doc.scr files they contained were executed, triggered the ransomware's encryption process. The campaign used over 1.500 unique IP addresses, mostly from Kazakhstan, Uzbekistan, Iran, Russia and China.

Meanwhile, the Check Point Threat Index highlights information from "shame sites" run by double-extortion ransomware groups, which publish information about victims in order to pressure non-payers. In May, LockBit3 reasserted its dominance, accounting for 33% of published attacks. Inc. followed. Ransom with 7% and Play with 5% detection rate. Inc. Ransom recently claimed responsibility for a major cyber incident that disrupted its public services Leicester City Council in the UK, as it allegedly stole over 3 terabytes of data and caused widespread system downtime.

“While law enforcement has managed to temporarily disrupt the LockBit3 cybergang by exposing one of its leaders and associates, in addition to releasing over 7,000 LockBit decryption keys, this is still not enough to completely eliminate the threat. It's no surprise to see them regroup and develop new tactics to continue their pursuits,” said Maya Horowitz, vice president of research at Check Point Software. “Ransomware is one of the most disruptive attack methods used by cybercriminals. Once they penetrate the network and extract information, the target's options are limited, especially if they cannot afford to pay the ransom demanded. This is why organizations must be alert to risks and prioritize preventive measures.”

Top malware families

* The arrows refer to the change of the ranking in relation to the previous month.

FakeUpdates was the most prevalent malware last month with a 7% impact on global organizations, followed by Androxgh0st at 5% and Qbot at 3%.

  1. ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before launching them. FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
  2. ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac and Linux platforms. For the initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- PHPUnit, Laravel Framework and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
  3. ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal browser cookies, spy on banking activities, and deploy additional malware software. Often distributed via spam email, Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to prevent analysis and avoid detection. Starting in 2022, it emerged as one of the most widespread Trojans.

Top Exploited Vulnerabilities

Last month, “Command Injection Over HTTP” was the most exploited vulnerability, affecting 50% of organizations worldwide, followed by “Web Servers Malicious URL Directory Traversal” at 47% and “Apache Log4j Remote Code Execution” with 46%.

  1. ↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command injection vulnerability over HTTP has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  2. ↔ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254, CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – Exists a directory traversal vulnerability In various web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthorized remote attackers to expose or access arbitrary files on the vulnerable server.
  3. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Top Malicious Mobile Apps

Last month, Anubis was in first place as the most widespread mobile malware, followed by AhMyth and Hydra.

  1. ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was first detected, it has acquired additional functions, including Remote Access Trojan (RAT) functions, a keylogger, audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different apps available in the Google Store.
  1. ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information. .


  1. ↑ Hydra – Hydra is a banking Trojan designed to steal banking credentials by asking victims to enable dangerous privileges and access every time they log into any banking application.

Top attacking industries worldwide

Last month, Education/Research remained the number one most attacked industry globally, followed by Government/Military and Communications.

  1. Education / Research
  2. Government / Army
  3. Communications

Top Ransomware Groups

The data below is based on information from “shame sites” that run double-extortion ransomware groups and publish information about victims. Last month, LockBit3 was the most prevalent ransomware group last month, responsible for 33% of published attacks, followed by Inc. Ransom with 7% and Play with 5%.

  1. LockBit3 – LockBit3 is a ransomware, which operates on a RaaS model and was first reported in September 2019. LockBit targets large enterprises and government agencies from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Despite experiencing significant outages in February 2024 due to law enforcement action, LockBit resumed publishing information about its victims.
  2. Ransom – Inc. Ransom is a ransomware extortion operation that emerged in July 2023, carrying out spear-phishing attacks and targeting vulnerable services. The group's primary targets are organizations in North America and Europe in many sectors, including healthcare, education and government. The ransomware payloads of Inc. supports multiple command line arguments and uses partial encryption with a multi-threaded approach.
  3. Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first appeared in June 2022. This ransomware has targeted a wide range of businesses and critical infrastructure in North America, South America, and Europe, affecting approx. 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised legitimate accounts or by exploiting out-of-date vulnerabilities such as those in Fortinet's SSL VPNs. Once inside, it uses techniques such as using country-living binaries (LOLBins) for tasks such as data leakage and credential theft. The Best Technology Site in Greecegns

every publication, directly to your inbox

Join the 2.113 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).