Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for April 2022. Researchers report that Emotet, an advanced, self-propagating and modular Trojan, is still the most prevalent malware impacting 6% of organizations worldwide. Despite this, there has been movement for all other malwares in the list. Tofsee and Nanocore are out, and have been replaced by Formbook and Lokibot, now the second and sixth most prevalent malwares respectively.
Emotet’s higher score in March (10%) was mainly due to specific Easter themed scams but this month’s decrease could also be explained by Microsoft’s decision to disable specific macros associated with Office files, affecting the way that Emotet is usually delivered. In fact, there are reports that Emotet has a new delivery method; using phishing emails that contain a OneDrive URL. Emotet has many uses after it succeeds in bypassing a machine’s protections. Due to its sophisticated techniques of propagating and assimilation, Emotet also offers other malwares to cybercriminals on dark web forums including banking trojans, ransomwares, botnets, etc. As a result, once Emotet finds a breach, the consequences can vary depending on which malware was delivered after the breach was compromised.
Elsewhere in the index, Lokibot, an infostealer, has re-entered the list in sixth place after a high impact spam campaign delivering the malware via xlsx files made to look like legitimate invoices. This, and the rise of Formbook, have had a knock on effect on the position of other malwares with the advanced remote access trojan (RAT) AgentTesla, for example, dropping into third place from second.
At the end of March, critical vulnerabilities were found in Java Spring Framework, known as Spring4Shell, and since then, numerous threat actors have leveraged the threat to spread Mirai, this month’s ninth most prevalent malware.
“With the cyber threat landscape constantly evolving and with large corporations such as Microsoft influencing the parameters in which cybercriminals can operate, threat actors are having to become more creative in how they distribute malware, evident in the new delivery method now being employed by Emotet,” said Maya Horowitz, VP Research at Check Point. “In addition, this month we have witnessed the Spring4Shell vulnerability making headlines. Although it is not yet in the top ten list of vulnerabilities, it’s worth noting that over 35% of organizations worldwide have already been impacted by this threat in its first month alone, and so we expect to see it rise up the list in the coming months.”
CPR also revealed this month that Education & Research is still the most targeted industry by cybercriminals globally. “Web Server Exposed Git Repository Information Disclosure” is the most exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution”. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” shoots up the index, now in third place with a global impact of 45%.
Top Malware Families
*The arrows relate to the change in rank compared to the previous month.
This month Emotet is still the most popular malware impacting 6% of organizations worldwide, closely followed by Formbook which impacts 3% of organizations and AgentTesla with a global impact of 2%.
- ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used as a banking Trojan, but recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware-as-a-Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors, and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↓ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook.)
Top Attacked Industries Globally
This month Education/Research is the most attacked industry globally, followed by Government/Military and Internet Service Providers & Managed Service Providers (ISP & MSP).
- Education & Research
- Government & Military
- Internet Service Providers & Managed Service Providers (ISP & MSP)
Top Exploited Vulnerabilities
This month “Web Server Exposed Git Repository Information Disclosure” is the most exploited vulnerability, impacting 46% of organizations globally, closely followed by “Apache Log4j Remote Code Execution” with a global impact of 46%. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” is now in third place in the top exploited vulnerabilities list, with a global impact of 45%.
- ↑ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- ↓ Apache Log4j Remote Code Execution (CVE-2021-44228)– A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↑ Apache Struts ParametersInterceptor ClassLoader Security Bypass (CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0114)– A security bypass vulnerability exists in Apache Struts. The vulnerability is due to inadequate validation of data processed by ParametersInterceptor allowing for manipulation of the ClassLoader. A remote attacker could exploit this vulnerability by providing a class parameter in a request.
Top Mobile Malwares
This month AlienBot is the most prevalent mobile malware, followed by FluBot and xHelper.
- AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
- FluBot– FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself in case it was uninstalled.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The Intelligence & Research Arm of Check Point Software Technologies.
The complete list of the top ten malware families in April can be found on the Check Point blog.
About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.