Check Point Research, its Threat Intelligence division Check Point Software Technologies Ltd., a provider of cyber security solutions worldwide, published the Global Threat Index for the month of January 2022.
Researchers say that Emotet has now moved Trickbot out of the top spot after a long stay at the top and is the most prevalent malware of the month, affecting 6% of organizations worldwide. Log4j also remains a problem, affecting 47,4% of organizations worldwide, while as the industry with the most attacks it is still that of Education / Research.
After only two and a half months since its return, Emotet has taken the top spot. The infamous botnet is usually spread via email Phishing containing malicious attachments or links. Its increased use has been further aided by the prevalence of Trickbot which acts as a catalyst, spreading the malware further. Alongside this, we have Dridex dropping out of the top ten list and being replaced by Lokibot, an InfoStealer used to obtain data such as email credentials, passwords to CryptoCoin wallets and FTP servers.
"It is no surprise that Emotet is back with a vengeance. It is an evasive malware that makes it difficult to detect, and the fact that it uses multiple methods to infect networks further contributes to the continued rise of this threat. It is unlikely that for a short-lived problem," said Maya Horowitz, VP Research at Check Point Software. "This month we also saw Dridex disappear from the top ten list and Lokibot reappear. Lokibot exploits victims during their busiest times as it is distributed via well-disguised phishing emails. These threats, along with the ongoing combating the Log4j vulnerability, highlight the importance of having the best security across networks, cloud, mobile and end-users."
Η Check Point Research (CPR) αποκάλυψε αυτό το μήνα ότι ο τομέας Εκπαίδευση/Έρευνα παραμένει αυτός με τις περισσότερες επιθέσεις παγκοσμίως, ακολουθούμενος από τον Κυβέρνηση/Ένοπλες Δυνάμεις και τον ISP/MSP. Η "Apache Log4j Remote Code Execution" εξακολουθεί να είναι η πιο συχνά εκμεταλλευόμενη ευπάθεια, επηρεάζοντας το 47,4% των οργανισμών παγκοσμίως, ακολουθούμενη από την "Web Server Exposed Git Repository Information Disclosure" που επηρεάζει το 45% των οργανισμών παγκοσμίως. Η "HTTP Headers Remote Code Execution" βρίσκεται στην τρίτη θέση της λίστας με τις πιο συχνά προς εκμετάλλευση ευπάθειες, με παγκόσμιο αντίκτυπο 42%.
The main families of malware
* Arrows are related to the change in ranking compared to the previous month.
This month, Emotet is the most popular malware affecting 6% of organizations worldwide, followed closely by Trickbot with a 4% impact and then Formbook with a 3% impact.
- ↑ Emotet Emotet is an advanced, self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributor for other malware or malware campaigns. Uses multiple methods to maintain obsession and avoidance techniques to avoid detection. Additionally, it can be spread by phishing spam emails containing malicious attachments or links.
- ↓ Trickbot - Trickbot is a modular Botnet and banking Trojan that is constantly updated with new capabilities, features and distribution channels. This allows Trickbot to be a flexible and customizable malware that can be distributed as part of a multi-purpose campaign.
- ↓ Formbook – Formbook is an Info Stealer that collects credentials from various browsers on Internet, collects screenshots, monitors and logs keystrokes, and can download and execute files according to C&C commands.
The industries that receive the most attacks worldwide
This month, the Education / Research sector is at the top of the list of the world's most attacked, followed by the Government / Armed Forces and the ISP / MSP
- Education / Research
- Government / Armed Forces
- ISP / MSP
The most commonly exploited vulnerabilities
This month the Apache log4j Remote -- Execution " is still the most commonly exploited vulnerability, affecting 47,4% of organizations worldwide, followed by "“Website Server & Hosting Exposed Go Repository Information Disclosure " affecting 45% of organizations worldwide. The "HTTP Headers Remote -- Execution" is ranked third on the list of most frequently exploited vulnerabilities, with a global impact of 42%.
- Ση Remote code execution Apache log4j (CVE-2021-44228) - A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↔ Website Server & Hosting Exposed Go Repository Information Disclosure - An information disclosure vulnerability has been reported in the Git Repository. Successful exploitation of this vulnerability could allow the inadvertent disclosure of account information.
- ↔HTTP Headers Remote -- Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - allows the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
Top Malicious Mobile Apps
This month xHelper tops the list as the most prevalent mobile malware, followed by AlienBot and FluBot.
- xHelper - A malicious one application which has not been seen in the wild since March 2019 and is used to download other malicious apps and display ads. The app is capable of being hidden from the user and reinstalled in case it has been uninstalled.
- AlienBot - The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder, in the first instance, to enter malicious code into legitimate financial applications. The attacker gains access to the victims' accounts and eventually takes full control of their device.
- flubot - FluBot is an Android botnet malware that is distributed via SMS phishing, which most often implies logistics delivery brands. As soon as the user clicks on the link in the message, FluBot is installed and accesses all the sensitive information on the phone.
The complete list of the most common malware threats in Greece for January 2022 is:
Emotet- The Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan and now distributes other malicious programs or malicious campaigns. Emotet uses multiple methods to maintain its obsession and avoidance techniques to prevent detection and can be spread through spam emails containing malicious attachments or links.
Lokibot - The LokiBot was first identified in February 2016 and is a commodity infostealer with versions for both Windows and Android OS. Collects credentials from various applications, web browsers, e-mail programs, IT management tools such as PuTTY and more. LokiBot is sold in hacking forums and it is believed that its source code was leaked, thus allowing the appearance of numerous variations. As of late 2017, some versions of LokiBot for Android include ransomware functionality in addition to information theft capabilities.
Formbook- Το FormBook είναι ένα Infostealer που στοχεύει το operating system Windows and was first detected in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums for its powerful evasion techniques and relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to commands from its C&C.
AgentTesla- The agent Tesla is an advanced RAT that acts as a keylogger and password thief and has been active since 2014. AgentTesla can track and collect the victim's keyboard input and clipboard, while it can capture screenshots and extract credentials for various software installed on the victim's machine (such as Google Chrome, Mozilla Firefox, and the Microsoft Outlook email client). AgentTesla is sold in various online shopping and hacking forums.
Nanocore- Το NanoCore είναι ένα Trojan απομακρυσμένης πρόσβασης που στοχεύει σε χρήστες του λειτουργικού συστήματος Windows και παρατηρήθηκε για πρώτη φορά στη φύση το 2013. Όλες οι εκδόσεις του RAT περιέχουν βασικά πρόσθετα και λειτουργίες όπως καταγραφή οθόνης, εξόρυξη κρυπτονομισμάτων, απομακρυσμένο έλεγχο της επιφάνειας εργασίας και κλοπή συνεδρίας κάμερας.
Trickbot- Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. It is mainly delivered through spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a wide range of available modules, including a VNC module for remote control and an SMB module for propagation within an infected network. Once a machine is infected, the threat actors behind this malware use this wide range of modules not only to steal banking credentials from the target computer, but also to laterally and identify the target organization itself, before launching a targeted company-wide ransomware attack.
Remcos- Remcos is a RAT that first appeared in the wild in 2016. Remcos is distributed via malicious Microsoft Office documents attached to SPAM emails and is designed to bypass Microsoft Windowss UAC security and execute high-level malware privileges.
Vidar- Vidar is an infostealer that targets Windows operating systems. It was first detected in late 2018 and is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as a secondary payload.
MassLogger- MassLogger is a .NET credential thief. This threat is a reconnaissance tool that can be used to extract data from targeted hosts.
Danabot- Danabot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first noticed in 2018, is distributed via malicious spam messages. Once a device is infected, the malware downloads configuration code and other modules from the C&C server. Available modules include a ¿sniffer¿ to intercept credentials, a stealer to steal passwords from popular applications, a VNC module for remote control, and more.
Ramnit- Το Ramnit είναι ένα αρθρωτό τραπεζικό Trojan που ανακαλύφθηκε για πρώτη φορά το 2010. Το Ramnit υποκλέπτει πληροφορίες για τη διαδικτυακή συνεδρία, δίνοντας στους χειριστές του τη δυνατότητα να υποκλέψουν τα διαπιστευτήρια λογαριασμού για όλες τις υπηρεσίες που χρησιμοποιεί το θύμα, συμπεριλαμβανομένων των τραπεζικών λογαριασμών και των εταιρικών λογαριασμών και των λογαριασμών κοινωνικών δικτύων. Το Trojan χρησιμοποιεί τόσο σκληρά κωδικοποιημένα domains όσο και domains που δημιουργούνται από έναν DGA (Domain Generation Algorithm) για να επικοινωνήσει με τον διακομιστή C&C και να κατεβάσει πρόσθετες ενότητες.
Joker- An android Spyware on Google Play, designed to steal SMS messages, contact lists and device information. In addition, the malware silently signs the victim up for premium services on advertising websites.
| The top 10 per country | ||
| Malware | Global impact | Greece |
| Emotet | Present in several = 5.77% | Present in several = 25.30% |
| Lokibot | Present in several = 1.16% | Present in several = 8.33% |
| Formbook | Present in several = 3.27% | Present in several = 7.74% |
| agent Tesla | Present in several = 1.87% | Present in several = 7.14% |
| Nanocore | Present in several = 0.91% | Present in several = 2.68% |
| Trickbot | Present in several = 3.50% | Present in several = 2.38% |
| Remcos | Present in several = 1.83% | Present in several = 2.38% |
| Vidar | Present in several = 0.96% | Present in several = 2.38% |
| MassLogger | Present in several = 0.14% | Present in several = 2.08% |
| Danabot | Present in several = 0.08% | Present in several = 2.08% |
| Ramnit | Present in several = 1.68% | Present in several = 2.08% |
| Joker | Present in several = 0.05% | Present in several = 2.08% |
Are Check Point Software's Global Threat Impact List and ThreatCloud Map based on its ThreatCloud intelligence? Company, the largest network for cooperation in the fight against cybercrime, which provides data on threats and trends in attacks, utilizing a global network of threat detectors.
The ThreatCloud database includes over 3 billion websites and 600 million files daily and detects more than 250 million malware activities each day.
The full list of the top 10 malware families in January can be found at blog of Check Point.
