Check Point's Latest Threat Index Highlights Shift to AI-Based Malware Tactics in Today's Cyber Landscape
Η Check Point Software Technologies Ltd. provider of an AI-powered, cloud-delivered cybersecurity platform, has released its Global Threat Index for September 2024. The report highlights an interesting trend in the cybersecurity landscape, particularly the emergence of artificial intelligence (AI)-based malware, while with the continued dominance of ransomware threats.
In September, the researchers discovered that the perpetrators of the attacks likely used artificial intelligence to develop a script that delivers the AsyncRAT malware, which has now taken the 10th spot on the list of most widespread malware. The method involved HTML smuggling, where a password-protected ZIP file, which contained malicious VBScript code, was sent to start an infection chain on the victim's device. The well-structured and commented code suggested the involvement of artificial intelligence. Once fully executed, AsyncRAT installs itself allowing the attacker to record keystrokes, remotely control the infected device and deploy additional malware. The discovery highlights a growing trend for cybercriminals with limited technical skills to use AI to more easily create malware.
Maya Horowitz, VP of Research at Check Point Software, commented on this trend stating: “The fact that threat actors have begun to use creative artificial intelligence as part of their attack infrastructure highlights the continued evolution of cyber attack tactics. Cybercriminals are increasingly leveraging available technologies to enhance their operations, making it necessary for organizations to implement proactive security strategies, including advanced prevention methods and comprehensive training of their teams.”
This month, Joker continues to be the most prevalent mobile malware, while RansomHub remains the top ransomware team, both retaining their positions from last month. These findings highlight the persistence of threats posed by these malicious entities in the evolving cybersecurity landscape.
Table of Contents
Top malware families
*The arrows refer to the change in ranking compared to the previous month.
The FakeUpdates is the most widespread malware for September with an impact 7% in global organizations, followed by Androxgh0st with global impact 6% and Formbook with global impact 4%.
-
↔ FakeUpdates - The FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. Writes payloads to disk before launching them. The FakeUpdates led to further compromise through several additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer The estate provides stunning sea views and offers a unique blend of luxury living and development potential AZORult.
-
↔ Androxgh0st - The Androxgh0st it is a botnet which targets platforms Windows, Mac The estate provides stunning sea views and offers a unique blend of luxury living and development potential Linux. For the initial infection, the Androxgh0st exploits multiple vulnerabilities, specifically targeting PHPUnit, the Laravel Framework and Apache Web Server. The malware steals sensitive information, such as account information Twilio, credentials SMTP, key AWS etc. It uses files Laravel to collect the required information. It has different variants which scan for different information.
-
↑ Formbook - The Formbook it is a info stealer targeting the operating system Windows and was first identified in 2016. Available on the market as Malware-as-a-Service (MaaS) in underground forums hacking for its powerful avoidance techniques and its relatively low price. The FormBook collects credentials from various web browsers, collects screenshots, monitors and records keystrokes, and can download and execute files as instructed by C&C of.
-
↔ Qbot - The Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities and develop additional malware. It is often distributed through spam email, the Qbot uses various techniques anti-VM, anti-debugging The estate provides stunning sea views and offers a unique blend of luxury living and development potential anti-sandbox to block analysis and avoid detection. Starting in 2022, it emerged as one of the most popular Trojans.
-
↔ agent Tesla - The agent Tesla is an advanced one RAT that works as keylogger and information thief, which is capable of monitoring and collecting the victim's keyboard input, system keyboard, taking screenshots and extracting credentials to various software installed on the victim's machine (including Google Chrome, Mozilla Firefox and email program Microsoft Outlook).
-
↓ Phorpiex - The Phorpiex it is a botnet known for distributing other malware families through campaigns spam, as well as to feed campaigns SEXTORTION big scale.
-
↑ Vidar - The Vidar is a malware infostealer that works as malware-as-a-dedicated and was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader ransomware.
-
↑ NJRat - The NJRat it is a Trojan remote access, mainly targeting government agencies and organizations in the Middle East. The Trojan it first appeared in 2012 and has multiple capabilities: logging keystrokes, accessing the victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. The NJRat infects victims through attacks Phishing The estate provides stunning sea views and offers a unique blend of luxury living and development potential drive-by downloads, and spreads via infected keys USB or network drives, supported by the server software Command & Control.
-
↑ Glupteba - Known since 2011, the Glupteba it is a backdoor cuts which gradually matured into botnet. Until 2019 it included an address update mechanism C&C through public lists BitCoin, a comprehensive browser hijacking feature and a router exploit.
-
↑ AsyncRat - The Asyncrat it is a Trojan targeting their platform Windows. This malware sends system information about the target system to a remote server. Receives commands from the server to download and run plugins, kill processes, uninstall/update itself and take screenshots of the infected system
Top exploited vulnerabilities
-
↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) - A Command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
-
↑ Web Servers Malicious URL Directory traverse (CVE-2010-4598, CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - There is a vulnerability in the directory traversal In various web servers. The vulnerability is due to an input validation error on a web server that does not properly clean up the URI for directory crossing patterns. Successful exploitation allows unauthorized remote attackers to detect or gain access to arbitrary files on the vulnerable server.
-
↔ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827,CVE-2020-10828,CVE-2020-1375) - The headlines HTTP allow the client and server to pass additional information with a request HTTP. A remote intruder can use a vulnerable header HTTP to execute arbitrary code on the victim's machine
Best Mobile Malware
In September Joker is ranked 1st most prevalent mobile malware followed by Anubis The estate provides stunning sea views and offers a unique blend of luxury living and development potential Hiddad.
-
↔ Joker - A android Spyware on Google Play, designed to steal messages SMS, contact lists and device information. In addition, the malware silently signs the victim for premium services on advertising sites.One android Spyware on Google Play, designed to steal messages SMS, contact lists and device information. Additionally, the malware silently registers the victim for premium services on advertising sites.
-
↔ Anubis - The Anubis is a banking malware Trojan designed for mobile phones Android. Since it was first identified, it has acquired additional functions such as operation Remote Access Trojan (RAT), keylogger, audio recording capabilities and various functions ransomware. It has been spotted in hundreds of different apps available on the Google Store.
-
↑ Hiddad - The Hiddad is a malware Android which repackages legitimate apps and then releases them on a third-party store. Its main function is to display advertisements, but it can also access key security details built into the operating system.
Best-attacked Industries globally
In September, the Education / Research remained the No. 1 attacked industry worldwide, followed by Government/Military sector and Health.
1. Education/Research
2. Government/Military sector
3. Health
Best Ransomware Groups
The data is based on information from ransomware "shame sites" run by ransomware groups double-extortion, in which they publish information about their victims. The RansomHub is the most widespread ransomware group this month, responsible for 17% of published attacks, followed by Play with 10% and qilin with 5%.
-
RansomHub - RansomHub is a Ransomware-as-a-Service (RaaS) business, which appeared as an upgraded version of the previously known Knight ransomware. RansomHub, which appeared prominently in early 2024 on underground cybercrime forums, quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux, and especially VMware ESXi environments. This malware is known for using sophisticated encryption methods.
-
Play - Play Ransomware, also referred to as PlayCrypt, is a ransomware that first appeared in June 2022. This ransomware has targeted a wide range of businesses and critical infrastructure in North America, South America and Europe, affecting around 300 entities until October 2023. Play Ransomware typically gains access to networks through compromised legitimate accounts or by exploiting out-of-date vulnerabilities such as those in Fortinet's SSL VPNs. Once inside, it uses techniques such as using country-living binaries (LOLBins) for tasks such as data leakage and credential theft.
-
qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal enterprise that works with affiliate companies to encrypt and isolate data from exposed organizations, then demand a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang language. Agenda is known for targeting large businesses and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to gain access to their networks and exfiltrate sensitive information. Once inside, Qilin typically moves laterally through the victim's infrastructure, looking for critical data to encrypt.