Researchers have discovered a new method of deployment of the Remcos Trojan (RAT), bypassing common security measures to gain unauthorized access to their victims' devices.
Meanwhile, Blackbasta entered the top three ransomware groups and the Communication sector rose to the third place of the most dangerous to be exploited.
Η Check Point Software Technologies Ltd. (NASDAQ: CHKP), a leading AI-powered, cloud-delivered cybersecurity platform provider, released its Global Threat Index for March 2024. Last month, researchers revealed that hackers were using Virtual Hard Disk (VHD) files to to deploy the Remcos Remote Access Trojan (RAT). Meanwhile, Lockbit3 remained the most prevalent ransomware group in March, despite its removal by law enforcement in February, though its frequency among the 200 ransomware sites monitored by Check Point dropped from 20% to 12%.
Remcos is a known malware that has been observed since 2016. This last campaign it bypasses common security measures to give cybercriminals unauthorized access to unsuspecting victims' devices. Despite its legitimate origins for remote administration of Windows systems, cybercriminals soon began exploiting its ability to infect devices, capture screenshots and keystrokes, and transmit collected data to designated host servers. In addition, the Trojan has a mass mailing function that can carry out distribution campaigns, and overall its various functions can be used to creation botnets. Last month, it rose to fourth place on the top malware list from sixth place in February.
"The evolution of attack tactics underscores the relentless advancement in cybercriminal strategies," observes Maya Horowitz, VP of Research at Check Point Software. This highlights the need for organizations to prioritize preventive measures. By remaining vigilant, deploying strong endpoint protection, and fostering a culture of cybersecurity awareness, we can collectively strengthen our defenses against evolving cyber threats.”
Check Point's Ransomware Index highlights information from ransomware or "shame" sites sites ” run by double-extortion ransomware groups, which published victim information. Lockbit3 again tops the rankings with 12% of published attacks, followed by Play at 10% and Blackbasta at 9%. Joining the trio for the first time, Blackbasta, claimed responsibility for a recent cyber attack on Scottish law firm, Scullion Law.
Last month, the most exploitable vulnerability was “Web Servers Malicious URL Directory Traversal” which affected 50% of organizations worldwide, followed by “Command Injection Over HTTP” with 48% and “HTTP Headers Remote Code Execution” with 43 %.
Table of Contents
Top malware families
*The arrows refer to the change in ranking compared to the previous month.
The FakeUpdates was the most prevalent malware last month with impact
6% in global organizations, followed by Qbot with 3% and Formbook with 2%.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before starting them. FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
- ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to prevent analysis and avoid detection. Starting in 2022, it emerged as one of the most widespread Trojans.
- ↔ Formbook – Formbook is an Infostealer that targets the Windows operating system and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its powerful evasion techniques and relatively low price. Formbook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to commands from C&C.
Top exploited vulnerabilities
Last month, the “Web Servers Malicious URL Directory Traversal” was still the most exploited vulnerability, affecting it 50% of organizations worldwide. There followed a This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. “Command Injection Over HTTP” with 48% The estate provides stunning sea views and offers a unique blend of luxury living and development potential This makes it a perfect choice for people with diabetes and for those who want to lose weight or follow a balanced diet. “HTTP Headers Remote Code Execution” with 43%.
- ↔ Malicious transit directory URL servers Web (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - A directory traversal vulnerability exists on different web servers. The vulnerability is due to an input validation bug in a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to reveal or access arbitrary files on the vulnerable server.
- ↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086)- A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target computer.
- ↑ HTTP headers remote code execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) - HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's computer.
Top Mobile Malware
Last month the Anubis was in first place as the most prevalent mobile malware, followed by AhMyth The estate provides stunning sea views and offers a unique blend of luxury living and development potential Cerberus.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was first detected, it has acquired additional features such as Remote Access Trojan (RAT) functionality, a keylogger, audio recording capabilities, and various ransomware capabilities. It has been spotted in hundreds of different apps available in the Google Store.
- ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information. .
- ↑ Cerberus – Appeared first in the wild in June 2019, Cerberus is a Remote Access Trojan (RAT) with specific banking screen overlay features for Android devices. Cerberus operates on a Malware as a Service (MaaS) model, replacing bankers like Anubis and Exobot. Its features include SMS checking, key logging, audio recording, location tracking and more.
Industries with the biggest attacks worldwide
Last month Education/Research remained the top most attacked industries worldwide, followed by Government/Military and Communications.
- Education / Research
- Government / Army
- Communications
Top Ransomware Groups
This section includes information from ransomware “shame sites” operated by double-extortion ransomware groups that have published the names and information of victims. Data from these shame sites carries its own biases, but still provides valuable insight into the ransomware ecosystem
The Lockbit3 was the most widespread ransomware group last month, responsible for 12% of published attacks, followed by Play with 10% and Blackbasta with 9%.
- LockBit3 – LockBit3 is a ransomware, operating on a RaaS model, first reported in September 2019. LockBit targets large businesses and government agencies from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Despite experiencing significant outages in February 2024 due to law enforcement measures, LockBit3 continued to publish information about its victims.
- Play Play Ransomware, also referred to as PlayCrypt, is a group of ransomware that first appeared in June 2022. This ransomware has targeted a wide range of businesses and critical infrastructure across North America, South America and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised legitimate accounts or by exploiting unpatched vulnerabilities such as those in Fortinet SSL VPNs. Once inside, it uses techniques such as using off-earth-living binaries (LOLBins) for tasks such as extractingtreatment data and credential theft.
- Blackbasta – BlackBasta ransomware was first observed in 2022 and operates as a ransomware-as-a-service (RaaS). The threat actors behind it mainly target organizations and individuals by exploiting RDP vulnerabilities and phishing emails to deliver the ransomware.
Here is the updated table of the countries of the European Union with the ranking in the risk category and the ranking of the previous month:
Country Name | Risk Ranking | Rank Last Month |
Estonia | 36 | 30 |
Czech Republic | 48 | 48 |
Portugal | 50 | 51 |
Italy | 51 | 50 |
Slovenia | 57 | 53 |
Spain | 62 | 60 |
Greece | 65 | 62 |
Hungary | 68 | 68 |
Bulgaria | 72 | 47 |
poland | 74 | 72 |
Denmark | 77 | 65 |
Sweden | 79 | 76 |
Austria | 80 | 69 |
Ireland | 83 | 78 |
Croatia | 86 | 64 |
Belgium | 87 | 84 |
Finland | 88 | 83 |
Germany | 94 | 86 |
Luxembourg | 95 | 71 |
lithuania | 97 | 95 |
France | 98 | 99 |
Netherlands | 99 | 91 |
Romania | 102 | 98 |
Slovakia | 103 | 101 |
Cyprus | 106 | 104 |
Malta | 107 | 103 |
latvia | 110 | 102 |