Η Check Point® Software Technologies Ltd., a global cybersecurity solutions provider, has released its Global Threat Index for September 2023. Researchers have identified a new stealth phishing campaign targeting Colombian businesses designed to subtly spread the Remcos Remote Access Trojan (RAT).
Meanwhile, Formbook took the top spot as the most prevalent malware after the Qbot debacle, while Education remains the most targeted industry.
In September, Check Point Research revealed a major phishing campaign which targeted more than 40 prominent companies in various industries in Colombia. The goal was to secretly install the Remcos RAT on victims' computers. Remcos, which was the second most widespread malware in September, is a sophisticated “Swiss Army Knife” RAT that provides complete control over the infected computer and can be used in various attacks. Common consequences of a Remcos infection include data theft, secondary infections, and account takeover.
Last month Qbot was completely removed from the top malware list after the FBI took control of it last August. This marks the end of a long run as the most widespread malware, holding the top of the list for most of 2023.
“The campaign we uncovered in Colombia offers a glimpse into the complex world of evasion techniques used by attackers. It's also a good illustration of how invasive these techniques are and why we need to use cyber resilience to protect against various types of attacks,” said Maya Horowitz, VP Research at Check Point Software.
CPR also revealed that “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability last month, affecting 47% of organizations worldwide, followed by “Command Injection Over HTTP” at 42% and “Zyxel ZyWALL Command Injection” at 39%.
Malware that affected Greece
| Country | Malware Family | Effects on the country | Global impact |
| Greece | Emotet | Present in several = 18.10% | Present in several = 1.73% |
| Greece | agent Tesla | Present in several = 3.88% | Present in several = 1.11% |
| Greece | STRRat | Present in several = 2.59% | Present in several = 0.23% |
| Greece | Remcos | Present in several = 2.16% | Present in several = 1.89% |
| Greece | Esfury | Present in several = 1.94% | Present in several = 0.48% |
| Greece | AsyncRat | Present in several = 1.51% | Present in several = 0.91% |
| Greece | Cryptonite | Present in several = 1.29% | Present in several = 0.44% |
| Greece | Pony | Present in several = 1.08% | Present in several = 0.26% |
| Greece | Scrinject | Present in several = 1.08% | Present in several = 0.40% |
| Greece | AZORult | Present in several = 1.08% | Present in several = 0.38% |
Top malware families
* The arrows refer to the change of the ranking in relation to the previous month.
The Formbook was the most prevalent malware last month with impact 3% in global organizations, followed by Remcos with global impact 2% and Emotet with global impact 2%.
- ↑ Formbook – Formbook is an Infostealer that targets the Windows operating system and was first detected in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums for its powerful evasion techniques and relatively low price of. Formbook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to commands from its C&C.
- ↑ Remcos – Remcos is a Remote Access Trojan (RAT) that first appeared in the wild in 2016. Remcos is distributed via malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and to run malware with elevated privileges.
- ↑ Emotet – Emotet is one advanced, a self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributor of other malware or malicious campaigns. It uses multiple methods to maintain persistence and evasion techniques to avoid detection. Additionally, it can spread through phishing spam emails that contain malicious attachments or links.
The Industries With the Most Attacks Worldwide
Last month Education / Research remained in first place as the industry with the most attacks worldwide, followed by Communications and Government/Military sector.
- Education / Research
- Communications
- Government / Army
The most exploitable vulnerabilities
Last month, the "Website Servers Malicious URL Directory traverse" was the most exploited vulnerability, affecting the Present in several = 47% of organizations worldwide, followed by the "Command Injection About HTTP" with Present in several = 42% and "Zyxel ZyWALL Command Injection" with Present in several = 39%.
- ↑ Web Servers Malicious URL Directory traverse (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - There is a directory traversal vulnerability on various web servers. The vulnerability is due to an input validation error on a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthorized remote attackers to expose or gain access to arbitrary files on the vulnerable server.
- ↔ Command Injection About HTTP (CVE-2021-43936, CVE-2022-24086) – An HTTP command leak vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) - A command injection vulnerability exists in the Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary operating system commands on the affected system.
Top Mobile Malwares
Last month the Anubis remained in first place as the most widespread malware for cell phones, followed by the AhMyth and SpinOk.
- Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was first detected, it has acquired additional functions, including Remote Access Trojan (RAT) functions, a keylogger, audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different apps available in the Google Store.
- AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages and activating the camera, which is usually used to steal sensitive information.
- SpinOk – SpinOk is an Android software module that acts as a spyware. It collects information about the files stored on the devices and is able to transfer it to malicious threat actors. The malicious module was found to be present in more than 100 Android apps and has been downloaded more than 421.000.000 times since May 2023.
Check Point's Global Threat Impact Index and ThreatCloud Map are powered by technology ThreatCloud of Check Point. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile phones. Intelligence is enhanced with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point Software Technologies.
The full list of the top ten malware families in September can be found on the Check Point blog.
