Η Check Point Software Technologies Ltd, a provider of global cyber security solutions, has released its Global Threat Index for May 2023. Analysts cited a new version of the shellcode-based downloader GuLoader, which was the fourth most widespread malware last month. With fully encrypted payloads and anti-analysis techniques, the latest format can be stored undetected on well-known public cloud services, including Google Drive. Meanwhile, Qbot and Anubis topped their respective appearance lists, while the Education/Research industry remained the most exploited industry.
The GuLoader malware, which is widely used by cybercriminals to bypass antivirus detection has undergone significant changes. The latest version uses a sophisticated technique to replace code in a legitimate process, making it easier to evade process monitoring security tools. Payloads are fully encrypted and stored inconspicuously on well-known public cloud services, including Google Drive. This unique combination of encryption, raw binary, and loader separation makes payloads invisible to antivirus programs, posing a significant threat to users and businesses around the world.
Last month, both Qbot and Anubis topped their respective appearance charts. Despite efforts to slow down the distribution of malware by blocking macros in Office files, Qbot operators quickly adapt their distribution and delivery. He was recently seen abusing a flaw copy dynamic link library (DLL) in the Windows 10 WordPad program to infect computers.
“Public tools and services are increasingly used by cybercriminals to deliver and store malicious campaigns. The credibility of a source no longer guarantees complete security," said Maya Horowitz, vice president of research at Check Point Software. “This highlights the urgent need for training on identifying suspicious activity. We recommend that you do not disclose personal information or download attachments unless the authenticity and benign nature of the request has been confirmed. Additionally, it is critical to have advanced security solutions such as Check Point Horizon XDR/XPR, which can effectively identify whether a supposedly benign behavior is actually malicious, providing an additional layer of protection against sophisticated threats.”
The Education/Research sector continues to be the most targeted industry, according to the Check Point Index. The report also revealed that the “Web Servers Malicious URL Directory Traversal” vulnerability is the most exploited vulnerability, affecting 49% of organizations worldwide. This is closely followed by the “Apache Log4j Remote Code Execution” and “HTTP Headers Remote Code Execution” vulnerabilities, affecting 45% and 44% of organizations worldwide, respectively.
Table of Contents
Best malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The Qbot was the most prevalent malware last month with a 6% impact on global organizations, followed by Formbook with a global impact of 5% and the agent Tesla with a global impact of 3%.
- ↑ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware . Often distributed via spam email, Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to prevent analysis and avoid detection. Starting in 2022, it emerged as one of the most widespread Trojans.
- ↑ Formbook – Formbook is an Infostealer that targets the Windows operating system and was first detected in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums for its powerful evasion techniques and relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to commands from its C&C.
- ↓ AgentTesla – AgentTesla is an advanced RAT that acts as a keylogger and information stealer, which is capable of monitoring and collecting the victim's keyboard input, system keyboard, taking screenshots and extracting credentials on various installed software on the victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email clients).
Industries with the Most Attacks Worldwide
Last month, the education/research remained in first place as the most exploited industry worldwide, followed by government/military and health care.
- Education / Research
- Government / Army
- Health care
Most Exploited Vulnerabilities
Last month, the "Web Servers Malicious URL Directory traverse" was the most exploited vulnerability, affecting the 49% of organizations worldwide, followed by "Apache log4j Remote Code Execution" which affected it 45% of organizations worldwide. Third most frequently used vulnerability h "HTTP Headers Remote Code Execution" with global impact 44%.
- ↔ Web Servers Malicious URL Directory traverse - There is a directory crossing vulnerability on various web servers. The vulnerability is due to an entry validation error on a web server that does not properly clear the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
- ↔ Apache log4j Remote Code Execution (CVE-2021-44228) - A remote code execution vulnerability exists in Apache Log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
- ↔ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – The HTTP protocol allows the client and server to pass additional information along with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
Too Mobile Malware
Last month the Anubis rose to the top spot as the most prevalent mobile malware, followed by AhMyth and Hiddad.
- Anubis – Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first detected, it has acquired additional features such as Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been spotted in hundreds of different apps available in the Google Store.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information. .
- Hiddad – Hiddad is an Android malware that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
The numbers in Greece are as follows:
Malware_Family_Name | global impact | Country Impact |
Emotet | 2.81% | 11.35% |
Lokibot | 1.66% | 9.61% |
Formbook | 4.53% | 9.61% |
Qbot | 5.88% | 9.39% |
agent Tesla | 3.28% | 5.46% |
Guloader | 3.07% | 5.46% |
Pony | 0.51% | 3.28% |
Nanocore | 1.63% | 2.84% |
Esfury | 0.74% | 2.18% |
XMRig | 2.70% | 2.18% |
Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. Intelligence is enhanced with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point Software Technologies.
The full list of the top ten malware families in April can be found at blog of Check Point.