Η Check Point Software Technologies Ltd., a leading global provider of cybersecurity solutions, has released its Global Threat Index for January 2023.
Last month infostealer Vidar returned to the top ten list in seventh place after increasing brandjacking cases and launching a major malicious phishing campaign with njRAT software in the Middle East and North Africa.
In January, the Vidar infostealer spread via fake domains claiming to be related to remote desktop software company AnyDesk. The malware used URL jacking for various popular applications to redirect users to a single IP address that claimed to be AnyDesk's official website.
Once downloaded, the malware posed as a legitimate installer to steal sensitive information such as login credentials, passwords, cryptocurrency wallet data, and banking information.
The researchers also identified a large campaign called Earth Bogle, which was spreading the njRAT malware to targets across the Middle East and North Africa. Attackers used phishing emails containing geopolitical themes, tricking users into opening malicious attachments. Once the Trojan is downloaded and opened, it can infect devices allowing attackers to conduct numerous intrusive activities to steal sensitive information. njRAT was ranked tenth on the top malware list after dropping in September 2022.
“Once again, we're seeing malware groups use trusted brands to spread viruses, with the goal of stealing personally identifiable information. I can't stress enough how important it is for people to pay attention to the links they click to ensure they are legitimate URLs. Look out for the security lock, which indicates an up-to-date SSL certificate, and look out for any hidden typos that might indicate the site is malicious,” said Maya Horowitz, VP Research at Check Point Software.
CPR also revealed that “Web Server Exposed Git Repository Information Disclosure” remained the most exploited vulnerability last month, affecting 46% of organizations worldwide, followed by “HTTP Headers Remote Code Execution” with 42% of organizations worldwide . “MVPower DVR Remote Code Execution” came in third with a global impact of 39%.
Excellent malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The Qbot and the Lokibot were the most prevalent malware last month with over 6% impact on global organizations respectively, followed by agent Tesla with a global impact of 5%.
- ↑ Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal banking information and a user's keystrokes. It is often distributed via spam email. Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to block analysis and avoid detection.
- ↑ Lokibot – LokiBot is a commodity infostealer with versions for both Windows and Android OS that was first detected in February 2016. It collects credentials from various applications, web browsers, email programs, IT management tools like PuTTY and other. LokiBot is sold on hacking forums and its source code is believed to have been leaked allowing numerous variants to emerge. As of late 2017, some versions of LokiBot for Android include ransomware functionality in addition to information-stealing capabilities.
- ↑agent Tesla AgentTesla is an advanced RAT that acts as a keylogger and information stealer, which is capable of monitoring and collecting the victim's keyboard input, system keyboard, taking screenshots and extracting credentials to various software installed on the victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client);
Excellent attacked Industries globally
Last month, the education/research remained the industry with the most attacks globally, followed by government/military sector and then the health care.
- Education / Research
- Government / Army
- Health
Excellent Exploited vulnerabilities
Last month, the “Web Server & Hosting Exposed Go Repository Information Disclosure” was the most exploited vulnerability, affecting 46% of organizations worldwide, followed by “HTTP Headers Remote -- Execution” with 42% of organizations worldwide. THE "MVPower DVR Remote -- Execution" came in third place with a global impact of 39%.
- ↔ Web Server & Hosting Exposed Go Repository Information Disclosure - A vulnerability was reported in the Git Repository. Successfully exploiting this vulnerability could allow unintentional disclosure of account information.
- ↑ HTTP Headers Remote -- Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
- ↑MVPower DVR Remote -- Execution - A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker could exploit this vulnerability to execute arbitrary code on the affected router via a crafted request.
Excellent Mobile Malware
Last month, the Anubis remained the most prevalent mobile malware, followed by Hiddad in the upcoming years, while AhMyth.
- Anubis – Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first detected, it has acquired additional features such as Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been spotted in hundreds of different apps available in the Google Store.
- Hiddad – Hiddad is an Android malware that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information. .
| Malware_Family_Name | Global Impact | Greece Impact |
| Qbot | 6.50% | 10.89% |
| Formbook | 3.96% | 8.38% |
| Emotet | 3.44% | 5.03% |
| Lokibot | 5.50% | 5.03% |
| agent Tesla | 4.69% | 4.19% |
| GuLoader | 2.04% | 4.19% |
| Nanocore | 1.65% | 2.79% |
| XMRig | 3.46% | 2.51% |
| cerbu | 1.11% | 2.23% |
| Esfury | 0.91% | 2.23% |
| Pony | 0.56% | 2.23% |
Check Point Software's Global Threat Impact Index and ThreatCloud Map, based on ThreatCloud the company's intelligence, which provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. ThreatCloud intelligence is enriched with AI-driven data and exclusive research data from Check Point Research, the Intelligence & Research division of Check Point Software Technologies.
The full list of the top 10 malware families in January 2023 is at blog of Check Point.
