Check Point Research (CPR), its Threat Intelligence division Check Point Software Technologies Ltd. (NASDAQ: CHKP), the world's leading provider of cybersecurity solutions, published the Global Threat Index for May 2022. Researchers report that Emotet, an advanced, self-propagating modular Trojan, is still the most widespread due to widespread campaigns.
They note that this month, Snake Keylogger has risen to eighth place after a long absence from the list. Snake's main function is to record user keys and transmit data collected to threat agents.
Snake Keylogger usually spreads through emails containing docx or xlsx attachments with malicious macros, however this month researchers reported that SnakeKey Logger has spread through PDF files. This could be due in part to the fact that Microsoft blocks Internet macros in Office by default, which means cybercriminals needed to get more creative by exploring new file types such as PDFs. This rare way of spreading malware proves to be quite effective, as some people find PDFs to be inherently more secure than other file types.
Emotet affects 8% of organizations worldwide, a small increase over the previous month. This malware is a flexible malware that proves to be profitable due to its ability to go unnoticed. Its persistence also makes it difficult to remove once a device is infected, making it the perfect tool in a cyber criminal's arsenal. Originally a banking trojan, it is often distributed via phishing emails and has the ability to offer other malicious programs, enhancing its ability to cause extensive damage.
"As recent Snake Keylogger campaigns show, everything you do on the Internet puts you at risk of cyber-attack, and opening a PDF is no exception," said Maya Horowitz, vice president of research at Check Point Software. "Viruses and malicious executable code can be hidden in multimedia content and links, with malware attack, in this case Snake Keylogger, ready to hit as soon as the user opens the PDF.
So just as you would question the legitimacy of a docx or xlsx email attachment, you need to apply the same caution to PDFs. "In this day and age it has never been more important for organizations to have a strong email security solution that quarantines and checks attachments, preventing malicious files from entering the network from the start."
CPR also found that "Web Servers Malicious URL Directory Traversal" is the most commonly exploited vulnerability, affecting 46% of organizations worldwide, closely followed by the "Apache Log4j Remote Code Execution" which has a global impact of 46%. Web Server Exposed Git Repository Information Disclosure is in third place with a global impact of 45%. The Education and Research sector is still the most targeted branch of cybercriminals in the world.
Top malware families
* The arrows refer to the change of the ranking in relation to the previous month.
This month, Emotet remains the most popular malware with an 8% global impact, followed by Formbook with a 2% impact and AgentTesla affecting 2% of organizations worldwide.
- ↔ Emotet - sophisticated self-replicating modular trojan. Emotet once served as a Trojan horse for spying on bank accounts and has recently been used to distribute other malware or malware campaigns. It uses many avoidance methods and techniques to stay in the system and avoid detection. Additionally, it may be spread by spam emails containing phishing attachments or links.
- ↔ Formbook - Formbook is an Infostealer targeting the Windows operating system and was first identified in 2016. It is marketed as Malware-as-a-Service (MaaS) in underground hacking forums for its powerful avoidance techniques and relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by its C&C.
- ↔ Agent Tesla - Agent Tesla is an advanced RAT that acts as a keylogger and information thief, capable of tracking and collecting the victim's keyboard input, the system keyboard, taking screenshots and extracting credentials to various software installed on the victim's machine (including Google Chrome, Mozilla Firefox, and Microsoft Outlook).
The full list of the top ten malware families in May can be found at blog of Check Point.
Top attacking industries worldwide
This month the industry with the most attacks worldwide is training / research, followed by government / military sector and internet service providers & managed service providers (ISP & MSP).
- Education and research
- Government & Army
- Internet Service Providers & Managed Service Providers (ISP & MSP)
Top exploiting vulnerabilities
In May, "Web Servers Malicious URL Directory Traversal" was the most commonly exploited vulnerability, affecting 46% of organizations worldwide, followed closely by "Apache Log4j Remote Code Execution", which has a global impact of 46%. Web Server Exposed Git Repository Information Disclosure is in third place with a global impact of 45%.
- ↑ Web Servers Malicious URL Directory traverse (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260)- There is a directory crossing vulnerability on various web servers. The vulnerability is due to an entry validation error on a web server that does not properly clear the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
- ↔ Apache Log4j Remote -- Execution (CVE-2021-44228)- A remote code execution vulnerability exists in Apache Log4j. Successfully exploiting this vulnerability could allow a remote intruder to execute arbitrary code on the affected system.
- ↓ Web Server & Hosting Exposed Go Repository Information Disclosure- A vulnerability was reported in the Git Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
Top Mobile Malwares
This month AlienBot is the most popular mobile malware, followed by FluBot and xHelper.
- AlienBot The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder, as a first step, to enter malicious code into legitimate financial applications. The attacker gains access to the victims' accounts and eventually takes full control of their device.
- flubot -FluBot is a malicious Android software that is distributed via SMS phishing (Smishing) messages, which most often imply logistics delivery brands. As soon as the user clicks on the link in the message, he is redirected to download a fake application that contains FluBot. Once installed, the malware has various capabilities for collecting credentials and supporting the Smishing Company itself, including uploading the contact list as well as sending SMS messages to other phone numbers.
- xHelper -A malicious application that has been observed in nature since March 2019 and is used to download other malicious applications and display ads. The application is capable of being hidden from the user and reinstalled in case it is uninstalled.
|The top 10 per country|
Are Check Point Software's Global Threat Impact List and ThreatCloud Map based on its ThreatCloud intelligence? Company, the largest network for cooperation in the fight against cybercrime, which provides data on threats and trends in attacks, utilizing a global network of threat detectors.
The ThreatCloud database includes over 3 billion websites and 600 million files daily and detects more than 250 million malware activities each day.
The full list of the top 10 malware families in May 2022 can be found at blog of Check Point.