Η Check Point Software Technologies Ltd., a leading global provider of cybersecurity solutions, has released its Global Threat Index for January 2023.
Last month infostealer Vidar returned to the top ten list in seventh place after increasing brandjacking cases and launching a major malicious phishing campaign with njRAT software in the Middle East and North Africa.
In January, the Vidar infostealer spread via fake domains claiming to be related to remote desktop software company AnyDesk. The malware used URL jacking for various popular applications to redirect users to a single IP address that claimed to be AnyDesk's official website.
Once downloaded, the malware posed as a legitimate installer to steal sensitive information such as login credentials, passwords, cryptocurrency wallet data, and banking information.
The researchers also identified a large campaign called Earth Bogle, which was spreading the njRAT malware to targets across the Middle East and North Africa. Attackers used phishing emails containing geopolitical themes, tricking users into opening malicious attachments. Once the Trojan is downloaded and opened, it can infect devices allowing attackers to conduct numerous intrusive activities to steal sensitive information. njRAT was ranked tenth on the list of top malicious proletterthe after drop in September 2022.
"Για άλλη μια φορά, βλέπουμε ομάδες κακόβουλου λογισμικού να χρησιμοποιούν αξιόπιστες μάρκες για τη διάδοση ιών, με στόχο την κλοπή προσωπικών πληροφοριών που μπορούν να αναγνωριστούν. Δεν μπορώ να τονίσω αρκετά, πόσο σημαντικό είναι οι άνθρωποι να δίνουν προσοχή στους συνδέσμους που κάνουν κλικ για να διασφαλίσουν ότι πρόκειται για νόμιμες διευθύνσεις URL. Προσέξτε το λουκέτο ασφαλείας, το οποίο υποδηλώνει ένα ενημερωμένο πιστοποιητικό SSL, και προσέξτε για τυχόν κρυφά τυπογραφικά λάθη που μπορεί να υποδηλώνουν ότι ο ιστότοπος είναι κακόβουλος", δήλωσε η Maya Horowitz, VP Research στην Check Point Software.
Η CPR αποκάλυψε επίσης ότι το "Web Server Exposed Git Repository Information Disclosure" παρέμεινε η ευπάθεια με τη μεγαλύτερη εκμετάλλευση τον περασμένο μήνα, επηρεάζοντας το 46% των οργανισμών παγκοσμίως, ακολουθούμενη από το "HTTP Headers Remote Code Execution" με 42% των οργανισμών παγκοσμίως. "Το MVPower DVR Remote Code Execution" ήρθε στην τρίτη θέση με παγκόσμιο αντίκτυπο 39%.
TOP malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The Qbot and Lokibot were the most prevalent malware last month with over 6% impact on global organizations respectively, followed by agent Tesla with a global impact of 5%.
- ↑ Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal banking information and a user's keystrokes. It is often distributed via spam email. Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to block analysis and avoid detection.
- ↑ Lokibot – LokiBot is a commodity infostealer with versions for both Windows and Android OS that was first detected in February 2016. It collects credentials from various applications, browsers on Internet, προγράμματα ηλεκτρονικού ταχυδρομείου, εργαλεία διαχείρισης IT όπως το PuTTY και άλλα. Το LokiBot πωλείται σε φόρουμ hacking και πιστεύεται ότι ο πηγαίος κώδικάς του διέρρευσε επιτρέποντας έτσι την εμφάνιση πολυάριθμων παραλλαγών. Από τα τέλη του 2017, ορισμένες εκδόσεις του LokiBot για Android περιλαμβάνουν functionalransomware in addition to its information-stealing capabilities.
- ↑agent Tesla AgentTesla is an advanced RAT that acts as a keylogger and information stealer, which is capable of monitoring and collecting the victim's keyboard input, system keyboard, taking screenshots and extracting credentials to various software installed on the victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client);
TOP attacked Industries globally
Last month, the education/research remained the industry with the most attacks globally, followed by government/military sector and then the health care.
- Education / Research
- Government / Army
- Health
TOP Exploited vulnerabilities
Τον περασμένο μήνα, η "Website Server & Hosting Exposed Go Repository Information Disclosure" was the most exploited vulnerability, affecting 46% of organizations worldwide, followed by "HTTP Headers Remote -- Execution" με 42% των οργανισμών παγκοσμίως. Η "MVPower DVR Remote -- Execution" came in third place with a global impact of 39%.
- ↔ Website Server & Hosting Exposed Go Repository Information Disclosure - An information disclosure vulnerability in the Git Repository was reported. Successful exploitation of this vulnerability could allow the inadvertent disclosure of account information.
- ↑ HTTP Headers Remote -- Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) - Οι επικεφαλίδες HTTP επιτρέπουν στον πελάτη και τον διακομιστή να διαβιβάζουν πρόσθετες πληροφορίες με ένα αίτημα HTTP. Ένας απομακρυσμένος εισβολέας μπορεί να χρησιμοποιήσει μια ευάλωτη επικεφαλίδα HTTP για να εκτελέσει αυθαίρετο κώδικα στο μηχάνημα του θύματος.
- ↑MVPower DVR Remote -- Execution - A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker could exploit this vulnerability to execute arbitrary code on the affected router via a crafted request.
TOP Mobile Malware
Last month, the Anubis remained the most prevalent mobile malware, followed by Hiddad and AhMyth.
- Anubis – Anubis is a malicious banking Trojan designed for Android mobile phones. Since it was first spotted, it has acquired additional functions, such as Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been spotted in hundreds of different apps available in the Google Store.
- Hiddad - Hiddad is an Android malware that repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information. .
| Malware_Family_Name | global impact | Greece Impact |
| Qbot | Present in several = 6.50% | Present in several = 10.89% |
| Formbook | Present in several = 3.96% | Present in several = 8.38% |
| Emotet | Present in several = 3.44% | Present in several = 5.03% |
| Lokibot | Present in several = 5.50% | Present in several = 5.03% |
| agent Tesla | Present in several = 4.69% | Present in several = 4.19% |
| GuLoader | Present in several = 2.04% | Present in several = 4.19% |
| Nanocore | Present in several = 1.65% | Present in several = 2.79% |
| XMRig | Present in several = 3.46% | Present in several = 2.51% |
| cerbu | Present in several = 1.11% | Present in several = 2.23% |
| Esfury | Present in several = 0.91% | Present in several = 2.23% |
| Pony | Present in several = 0.56% | Present in several = 2.23% |
Check Point Software's Global Threat Impact Index and ThreatCloud Map, based on ThreatCloud the company's intelligence, which provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. ThreatCloud intelligence is enriched with AI-driven data and exclusive research data from Check Point Research, the Intelligence & Research division of Check Point Software Technologies.
The full list of the top 10 malware families in January 2023 is at blog of Check Point.
