Check Point Research (CPR), its Threat Intelligence division Check Point Software Technologies Ltd. (NASDAQ: CHKP), the world's leading provider of cybersecurity solutions, published the Global Threat Index for May 2022. Researchers report that Emotet, an advanced, self-propagating modular Trojan, is still the most widespread due to widespread campaigns.
They note that this month, Snake Keylogger has risen to eighth place after a long absence from the list. Snake's main function is to record user keys and transmit data collected to threat agents.
Snake Keylogger usually spreads through emails containing docx or xlsx attachments with malicious macros, however this month researchers reported that SnakeKey Logger has spread through PDF files. This could be due in part to the fact that Microsoft blocks Internet macros in Office by default, which means cybercriminals needed to get more creative by exploring new file types such as PDFs. This rare way of spreading malware proves to be quite effective, as some people find PDFs to be inherently more secure than other file types.
Emotet affects 8% of organizations worldwide, a slight increase from last month. This malware is a versatile malware that proves profitable due to its ability to remain undetected. Its persistence also makes it difficult to remove once a device έχει μολυνθεί, καθιστώντας το τέλειο εργαλείο στο οπλοστάσιο ενός εγκληματία του κυβερνοχώρου. Αρχικά ήταν ένα τραπεζικό trojan, διανέμεται συχνά μέσω phishing emails και έχει τη δυνατότητα να προσφέρει άλλα κακόβουλα προγράμματα, ενισχύοντας την ικανότητά του να προκαλεί εκτεταμένες ζημιές.
"Όπως φαίνεται από τις πρόσφατες εκστρατείες Snake Keylogger, οτιδήποτε κάνετε στο διαδίκτυο σας θέτει σε κίνδυνο κυβερνοεπίθεσης, και το άνοιγμα ενός εγγράφου PDF δεν αποτελεί εξαίρεση", δήλωσε η Maya Horowitz, αντιπρόεδρος έρευνας της Check Point Software. "Οι ιοί και ο κακόβουλος εκτελέσιμος κώδικας μπορεί να κρύβονται σε content media and links, with the malware attack, in this case Snake Keylogger, ready to strike as soon as the user opens the PDF.
Επομένως, όπως ακριβώς θα αμφισβητούσατε τη νομιμότητα ενός συνημμένου ηλεκτρονικού ταχυδρομείου docx ή xlsx, πρέπει να εφαρμόζετε την ίδια προσοχή και με τα PDF. Στο σημερινό τοπίο δεν ήταν ποτέ πιο σημαντικό για τους οργανισμούς να διαθέτουν μια ισχυρή λύση ασφάλειας ηλεκτρονικού ταχυδρομείου που να θέτει σε καραντίνα και να ελέγχει τα συνημμένα αρχεία, αποτρέποντας την είσοδο κακόβουλων αρχείων στο δίκτυο εξαρχής."
Η CPR αποκάλυψε επίσης ότι το "Web Servers Malicious URL Directory Traversal" είναι η πιο συχνά εκμεταλλευόμενη ευπάθεια, επηρεάζοντας το 46% των οργανισμών παγκοσμίως, ακολουθούμενη στενά από το "Apache Log4j Remote Code Execution" που έχει παγκόσμιο αντίκτυπο 46%. Η "Web Server Exposed Git Repository Information Disclosure" βρίσκεται στην τρίτη θέση με παγκόσμιο αντίκτυπο 45%. Ο τομέας της Εκπαίδευσης και της Έρευνας εξακολουθεί να είναι ο πιο στοχευμένος κλάδος από τους εγκληματίες του κυβερνοχώρου παγκοσμίως.
Top malware families
* The arrows refer to the change of the ranking in relation to the previous month.
This month, Emotet remains the most popular malware with an 8% global impact, followed by Formbook with a 2% impact and AgentTesla affecting 2% of organizations worldwide.
- ↔ Emotet - sophisticated self-replicating modular trojan. Emotet once served as a Trojan horse for spying on bank accounts and has recently been used to distribute other malware or malware campaigns. It uses many avoidance methods and techniques to stay in the system and avoid detection. Additionally, it may be spread by spam emails containing phishing attachments or links.
- ↔ Formbook - Formbook is an Infostealer targeting the Windows operating system and was first identified in 2016. It is marketed as Malware-as-a-Service (MaaS) in underground hacking forums for its powerful avoidance techniques and relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by its C&C.
- ↔ Agent Tesla – Agent Tesla is an advanced RAT that acts as a keylogger and information stealer, which is capable of monitoring and collecting the victim's key input, system keyboard, taking screenshots and extracting credentials on various installed software on the victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook).
The full list of the top ten malware families in May can be found at blog of Check Point.
Top attacking industries worldwide
This month the industry with the most attacks worldwide is training / research, followed by government / military sector and internet service providers & managed service providers (ISP & MSP).
- Education and research
- Government & Army
- Internet Service Providers & Managed Service Providers (ISP & MSP)
Top exploiting vulnerabilities
Τον Μάιο, το " Web Servers Malicious URL Directory Traversal " είναι η πιο συχνά εκμεταλλευόμενη ευπάθεια, επηρεάζοντας το 46% των οργανισμών παγκοσμίως, ακολουθούμενη στενά από την " Apache Log4j Remote Code Execution ", η οποία έχει παγκόσμιο αντίκτυπο 46%. Η " Web Server Exposed Git Repository Information Disclosure " βρίσκεται στην τρίτη θέση με παγκόσμιο αντίκτυπο 45%.
- ↑ Website Servers Malicious URL Directory traverse (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260)- There is a directory crossing vulnerability on various web servers. The vulnerability is due to an entry validation error on a web server that does not properly clear the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
- ↔ Apache log4j Remote -- Execution (CVE-2021-44228)- A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↓ Website Server & Hosting Exposed Go Repository Information Disclosure- Αναφέρθηκε μια ευπάθεια αποκάλυψης πληροφοριών στο Git Repository. Η επιτυχής εκμετάλλευση αυτής της ευπάθειας θα μπορούσε να επιτρέψει την ακούσια αποκάλυψη πληροφοριών λογαριασμού.
Top Mobile Malwares
This month AlienBot is the most popular mobile malware, followed by FluBot and xHelper.
- AlienBot The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder, as a first step, to enter malicious code into legitimate financial applications. The attacker gains access to the victims' accounts and eventually takes full control of their device.
- flubot -Το FluBot είναι ένα κακόβουλο λογισμικό Android που διανέμεται μέσω μηνυμάτων SMS phishing (Smishing), τα οποία τις περισσότερες φορές υποδύονται μάρκες παράδοσης logistics. Μόλις ο χρήστης κάνει κλικ στο σύνδεσμο μέσα στο μήνυμα, ανακατευθύνεται στη λήψη μιας ψεύτικης εφαρμογής που περιέχει το FluBot. Μόλις εγκατασταθεί, το κακόβουλο λογισμικό έχει διάφορες δυνατότητες για τη συλλογή διαπιστευτηρίων και την support of the Smishing business itself, including uploading your contact list as well as sending SMS messages to other phone numbers.
- xHelper -A malicious application that has been observed in nature since March 2019 and is used to download other malicious applications and display ads. The application is capable of being hidden from the user and reinstalled in case it is uninstalled.
| The top 10 per country | ||
| Malware | Global impact | Greece |
| Emotet | Present in several = 8.38% | Present in several = 18.38% |
| Lokibot | Present in several = 2.18% | Present in several = 8.08% |
| agent Tesla | Present in several = 2.18% | Present in several = 5.29% |
| XMRig | Present in several = 1.85% | Present in several = 3.34% |
| SnakeKeylogger | Present in several = 1.44% | Present in several = 3.06% |
| Formbook | Present in several = 2.25% | Present in several = 3.06% |
| crackonosh | Present in several = 0.72% | Present in several = 2.51% |
| Qbot | Present in several = 0.84% | Present in several = 1.95% |
| Katusha | Present in several = 0.07% | Present in several = 1.95% |
| Seraph | Present in several = 0.56% | Present in several = 1.67% |
| Remcos | Present in several = 1.18% | Present in several = 1.67% |
| Hail Mary | Present in several = 0.50% | Present in several = 1.67% |
Are Check Point Software's Global Threat Impact List and ThreatCloud Map based on its ThreatCloud intelligence? Company, the largest network for cooperation in the fight against cybercrime, which provides data on threats and trends in attacks, utilizing a global network of threat detectors.
The ThreatCloud database includes over 3 billion websites and 600 million files daily and detects more than 250 million malware activities each day.
The full list of the top 10 malware families in May 2022 can be found at blog of Check Point.
