.
The advanced and dangerous trojan Emotet continues to increase its impact in Portugal and the world over the months. Check Point researchers believe this is due to the malware’s ability to remain undetectable.
Read the full press release:
Check Point Research (CPR), Threat Intelligence area of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of global cybersecurity solutions, published the latest May 2022 Global Threat Index on June 9.
Following multiple malware dissemination campaigns, researchers report that Emotet, an advanced, self-propagating, modular trojan, remains the most impactful threat, affecting 6% of organizations worldwide.
In Portugal, the Emotet trojan was also the leader, impacting 11 out of 100 (11%) of Portuguese organizations. This was followed by QBot and Formbook, a banking trojan and infostealer that this month each impacted 5% of national companies. In the report, Check Point Software also highlights the climbing position of the Snake Keylogger, which, after a period of disappearance, now ranks 8th globally.
Snake Keylogger is usually spread via emails that include docx and xlsx attachments with malicious macros, however, this month, researchers warn that the threat has spread via PDF files. This may be due in part to the Microsoft’s decision blocking macros received from the Internet, which forced cybercriminals to get more creative and explore other file types such as PDFs. This rare way of spreading malware has proven to be efficient, as people understand this type of document as inherently more secure than others.
The Emotet trojan has increased its impact, both nationally and globally. This is agile and very profitable malware given its ability to remain undetectable. On the other hand, its persistence makes it difficult to remove after infection, which makes it the perfect cybercrime tool. Originally a banking trojan, Emotet is commonly spread via phishing emails, managing to deploy other malware and thus maximize its impact.
“As evidenced by the latest Snake Keylogger campaigns, everything we post online puts us at risk of a cyberattack – opening a PDF is no exception,” says Maya Horowitz, VP Research at Check Point Software. “Executable viruses and malicious code have the ability to access multimedia content and links, with the malware attack, in this case the Snake Keylogger, prepared to attack as soon as the user opens the PDF. So, just as we would question the legitimacy of a docx or xlsx in an email attachment, we should exercise the same caution with PDFs. In today’s landscape, it has never been more important for organizations to have a robust email security solution that isolates and inspects attachments, preventing any malicious files from entering the network in the first place.”
CPR further revealed that “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations worldwide, followed closely by “Apache Log4j Remote Code Execution”, with an overall impact of 46%. Third, the “Web Server Exposed Git Repository Information Disclosure” with an overall impact of 45%.
Most prevalent malware families in May. Trojan Emotet leads
*Arrows are related to the rank change from the previous month.
This month, the Emotet trojan remains the most popular malware impacting 8% of organizations worldwide, followed closely by Formbook and AgentTesla, each responsible for impacting 2% of organizations worldwide. In Portugal, the top 3 was headed by the Emotet trojan, with an impact of 11%, followed by Qbot and Formbook, both responsible for infecting 5% of national companies.
Emote – Advanced, self-propagating, modular Trojan. The Emotet trojan was once used as a banking Trojan, but recently it is used to distribute malware and other malicious campaigns. It uses various evasion methods and techniques to maintain its persistence and avoid detection. Furthermore, it can be spread via phishing spam emails containing malicious attachments or links.- ↑ Formbook – Formbook is an Infostealer that targets Windows OS and was first detected in 2016. It is marketed as Malware-as-a-Service (MaaS) on dark web hacking forums for its strong evasion and pricing techniques relatively low. Formbook collects credentials from various web browsers, takes screenshots, monitors and records keystrokes, and can download and execute files as per your C&C orders.
- ↑ QBot – Banking Trojan first identified in 2008. Designed to steal banking credentials and keystrokes. Often distributed via email, Qbot uses various anti-VM, anti-debugging and anti-sandbox techniques to evade analysis and detection.
Most attacked industries in Portugal:
This month, the Education/Research sector was the most attacked in Portugal, followed by Health and, third, Utilities.
- EducationResearch
- Health
- Utilities
Most attacked industries in the world:
This month, Education/Research is the most attacked sector globally, followed by Public Administration/Military Industry and ISP/MSP.
- Education/Research
- Public Administration/Military Industry
- ISP/MSP
Most Exploited Vulnerabilities
In May, theWeb Servers Malicious URL Directory Traversal” was the most exploited vulnerability, with an overall impact of 46% across organizations, followed closely by “Apache Log4j Remote Code Execution” also with an overall impact of 46%. Third, was the ” Web Server Exposed Git Repository Information Disclosure” with an overall impact of 45%.
- ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – A directory traversal vulnerability exists on different web servers. The vulnerability is due to an input validation error on a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to reveal or access arbitrary files on the vulnerable server.
- Apache Log4j Remote Code Execution (CVE-2021-44228)– Vulnerability that allows remote execution of code present in Apache Log4j. Successful exploitation of this vulnerability would allow a remote attacker to arbitrarily execute code on the infected system.
- ↓ Web Server Exposed Git Repository Information Disclosure– Information leak vulnerability present in Git repositories. Successful exploitation of this vulnerability would allow an unintentional leak of account information.
Top mobile malware
This month, AlienBot ranks first on the most prevalent mobile malware list, followed by FluBot and xHelper.
- alienbot – The AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to inject malicious code into legitimate financial applications. The attacker gains access to victims’ accounts, and eventually takes control of the device.
- FluBot– Android botnet distributed via phishing SMS messages that mimic logistics and delivery brands. As soon as the user clicks on the link sent, FluBot is installed and has access to all sensitive information on the mobile phone.
- xHelper Malicious Android application that was seen in the wild in March 2019, used to download malicious apps and display ads. The application is able to hide itself from the user, being able to be reinstalled if the user uninstalls it.
Check Point Software’s Global Threat Impact Index and ThreatCloud Map are powered by the intelligence of ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobile devices. Intelligence is enriched by AI engines and unique investigation data from Check Point Research, Threat Intelligence at Check Point Software Technologies.
The full list of the top 10 malware families for April can be found at blog from Check Point.
Follow all the technological news on TecheNet through the Google News. All the news in real time and without delays!
Other interesting articles:
.
