Check Point Research, its Threat Intelligence division Check Point Software Technologies Ltd., a provider of cyber security solutions worldwide, published the Global Threat Index for the month of January 2022.
Researchers say that Emotet has now moved Trickbot out of the top spot after a long stay at the top and is the most prevalent malware of the month, affecting 6% of organizations worldwide. Log4j also remains a problem, affecting 47,4% of organizations worldwide, while as the industry with the most attacks it is still that of Education / Research.
Just two and a half months after its return, Emotet has taken first place. The infamous botnet usually spreads through phishing emails that contain malicious attachments or links. Its increased use has been further helped by the prevalence of Trickbot as a catalyst, spreading malware further. At the same time, we have Dridex removed from the top ten list and replaced by Lokibot, an InfoStealer used to obtain data such as e-mail credentials, CryptoCoin wallet passwords and FTP servers.
"It's no surprise that Emotet has returned vengeful. It is malicious software that escapes, making it difficult to detect, and the fact that it uses multiple methods to infect networks further contributes to the constant rise of this threat. "It's unlikely to be a short-term problem," said Maya Horowitz, VP Research at Check Point Software. "This month we also saw Dridex disappear from the list of the top ten and Lokibot reappear. Lokibot exploits victims in their busiest moments, as it is distributed through well-disguised phishing emails. "These threats, along with the ongoing battle with the Log4j vulnerability, underscore the importance of having better security on networks, the cloud, mobile and endpoints."
Check Point Research (CPR) revealed this month that the Education / Research sector remains the most under attack in the world, followed by the Government / Armed Forces and the ISP / MSP. "Apache Log4j Remote Code Execution" is still the most commonly exploited vulnerability, affecting 47,4% of organizations worldwide, followed by "Web Server Exposed Git Repository Information Disclosure" which affects 45% of organizations worldwide. HTTP Headers Remote Code Execution ranks third on the list of most commonly exploited vulnerabilities, with a global impact of 42%.
The main families of malware
* Arrows are related to the change in ranking compared to the previous month.
This month, Emotet is the most popular malware affecting 6% of organizations worldwide, followed closely by Trickbot with a 4% impact and then Formbook with a 3% impact.
- ↑ Emotet Emotet is an advanced, self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributor for other malware or malware campaigns. Uses multiple methods to maintain obsession and avoidance techniques to avoid detection. Additionally, it can be spread by phishing spam emails containing malicious attachments or links.
- ↓ Trickbot - Trickbot is a modular Botnet and banking Trojan that is constantly updated with new capabilities, features and distribution channels. This allows Trickbot to be a flexible and customizable malware that can be distributed as part of a multi-purpose campaign.
- ↓ Formbook - Formbook is an Info Stealer that collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files according to C&C commands.
The industries that receive the most attacks worldwide
This month, the Education / Research sector is at the top of the list of the world's most attacked, followed by the Government / Armed Forces and the ISP / MSP
- Education / Research
- Government / Armed Forces
- ISP / MSP
The most commonly exploited vulnerabilities
This month the Apache log4j Remote -- Execution "Is still the most commonly exploited vulnerability, affecting 47,4% of organizations worldwide, followed by" "Website Server & Hosting Exposed Go Repository Information Disclosure ”Which affects 45% of organizations worldwide. THE "HTTP Headers Remote -- ExecutionIs in third place on the list of most frequently exploited vulnerabilities, with a global impact of 42%.
- ↔ Remote execution code Apache log4j (CVE-2021-44228) - A remote code execution vulnerability exists in Apache Log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
- ↔ Website Server & Hosting Exposed Go Repository Information Disclosure - A vulnerability has been reported in the Git Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
- ↔HTTP Headers Remote -- Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - allows the client and server to transmit additional information with an HTTP request. A remote intruder can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
Top Malicious Mobile Apps
This month xHelper tops the list as the most prevalent mobile malware, followed by AlienBot and FluBot.
- xHelper - A malicious application that has not appeared on nature since March 2019 and is used to download other malicious apps and display ads. The app is capable of being hidden from the user and reinstalled in case it has been uninstalled.
- AlienBot - The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder, in the first instance, to enter malicious code into legitimate financial applications. The attacker gains access to the victims' accounts and eventually takes full control of their device.
- flubot - FluBot is an Android botnet malware that is distributed via SMS phishing, which most often implies logistics delivery brands. As soon as the user clicks on the link in the message, FluBot is installed and accesses all the sensitive information on the phone.
The complete list of the most common malware threats in Greece for January 2022 is:
Emotet- The Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan and now distributes other malicious programs or malicious campaigns. Emotet uses multiple methods to maintain its obsession and avoidance techniques to prevent detection and can be spread through spam emails containing malicious attachments or links.
Lokibot - The LokiBot εντοπίστηκε για πρώτη φορά τον Φεβρουάριο του 2016 και είναι ένα commodity infostealer με εκδόσεις τόσο για τα Windows όσο και για το Android OS. Συλλέγει διαπιστευτήρια από διάφορες εφαρμογές, προγράμματα περιήγησης στο διαδίκτυο, προγράμματα ηλεκτρονικού ταχυδρομείου, εργαλεία διαχείρισης IT όπως το PuTTY και άλλα. Το LokiBot πωλείται σε φόρουμ hacking και πιστεύεται ότι ο πηγαίος κώδικάς του διέρρευσε, επιτρέποντας έτσι την εμφάνιση πολυάριθμων παραλλαγών. Από τα τέλη του 2017, ορισμένες εκδόσεις του LokiBot για Android περιλαμβάνουν functionalransomware in addition to its information-stealing capabilities.
Formbook- FormBook is an Infostealer that targets the Windows operating system and was first identified in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its powerful avoidance techniques and its relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by its C&C.
AgentTesla- The agent Tesla is an advanced RAT that acts as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect keystrokes and clipboard victim's system, while it can capture screenshots and extract credentials for various software installed on the victim's machine (such as Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is sold on various online marketplaces and hacking forums.
NanocoreNanoCore is a remote access Trojan that targets Windows users and was first spotted in nature in 2013. All versions of RAT contain basic add-ons and features such as screen capture, cryptocurrency extraction, remote desktop control and theft camera session.
TrickbotTrickbot is a modular banking Trojan attributed to the WizardSpider cybercrime gang. It is mainly delivered through spam campaigns or other families of malware, such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a wide range of available modules, including a VNC module for remote control and an SMB module for distribution within an infected network. Once a machine is infected, the malicious carriers behind this malware use this wide range of modules not only to steal bank credentials from the target computer, but also to move around and identify the target organization itself. before carrying out a targeted ransomware attack across the company.
RemcosRemcos is a RAT that first appeared in the wild in 2016. Remcos is distributed through malicious Microsoft Office documents that attach to SPAM emails and is designed to bypass Microsoft Windowss UAC security and run high-level malware privileges.
Vidar- Vidar is an infostealer that targets Windows operating systems. It was first detected in late 2018 and is designed to steal passwords, credit card data and other sensitive information from various internet browsers and digital wallets. Vidar is sold on various online forums and is used as a malware dropper to obtain ransomware GandCrab as a secondary payload.
MassLogger- MassLogger is a .NET credential thief. This threat is an identification tool that can be used to extract data from targeted servers.
DanabotDanabot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first observed in 2018, is distributed via malicious spam messages. Once a device is infected, the malware downloads an updated configuration code and other modules from the C&C server. Available modules include a if sniffer¿ for spying on credentials, a stealer for stealing passwords from popular applications, a VNC module for remote control, and more.
Ramnit- Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals online session information, allowing its operators to steal account credentials for all services used by the victim, including bank accounts and corporate accounts and social network accounts. The Trojan uses both hard-coded domains and domains created by a DGA (Domain Generation Algorithm) to communicate with the C&C server and download additional modules.
Joker- An android Spyware on Google Play, designed to steal SMS messages, contact lists and device information. In addition, the malware silently signals to the victim for premium services on advertising sites.
| The top 10 per country | ||
| Malware | Global impact | Greece |
| Emotet | 5.77% | 25.30% |
| Lokibot | 1.16% | 8.33% |
| Formbook | 3.27% | 7.74% |
| agent Tesla | 1.87% | 7.14% |
| Nanocore | 0.91% | 2.68% |
| Trickbot | 3.50% | 2.38% |
| Remcos | 1.83% | 2.38% |
| Vidar | 0.96% | 2.38% |
| MassLogger | 0.14% | 2.08% |
| Danabot | 0.08% | 2.08% |
| Ramnit | 1.68% | 2.08% |
| Joker | 0.05% | 2.08% |
Are Check Point Software's Global Threat Impact List and ThreatCloud Map based on its ThreatCloud intelligence? Company, the largest network for cooperation in the fight against cybercrime, which provides data on threats and trends in attacks, utilizing a global network of threat detectors.
The ThreatCloud database includes over 3 billion websites and 600 million files daily and detects more than 250 million malware activities each day.
The full list of the top 10 malware families in January can be found at blog of Check Point.
