Welcome to IT-Branschen – The Channel for IT News, Cybersecurity and Digital Trends

For Companies, Suppliers and Decision Makers in the IT Industry

Digital strategy and insights for decision-makers in the IT industry

Subscribe

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Contact us

Deleted malware makes a comeback – these are the most common malware in December 2023

Deleted malware makes a comeback Deleted malware makes a comeback
Deleted malware makes a comeback

Researchers have detected a resurgence of Qbot malware, which was discovered in phishing attempts targeting the hospitality industry. Meanwhile, the FakeUpdates downloader jumped to the top spot.

Our latest Global Threat Index for December 2023 saw researchers identify the resurgence of Qbot, four months after US and international law enforcement dismantled its infrastructure in Operation Duck Hunt in August 2023. Meanwhile, the JavaScript downloader FakeUpdates jumped to first place and education remained the most impacted industry worldwide.

Last month, Qbot was used malware by cybercriminals as part of a limited phishing attack targeting organizations in the hospitality sector. In the campaign, researchers discovered that hackers impersonated the IRS and sent malicious emails containing PDF attachments with embedded URLs linking to a Microsoft installer. Once activated, this triggered an invisible version of Qbot that exploited an embedded Dynamic Link Library (DLL). Before its takedown in August, Qbot dominated the threat index and ranked as one of the top three malicious programs for 10 consecutive months. Although it has not returned to the list, the coming months will determine whether it will regain the notoriety it had before.

Advertisement

software quality.jpg

Meanwhile, FakeUpdates continued its rise to the top after resurfacing in late 2023, reaching number one with a global impact of 2%. Nanocore also maintained a top five position for six consecutive months, taking third place in December, with new entries from Ramnit and Glupteba.

Seeing Qbot in the wild less than four months after its distribution infrastructure was decommissioned is a reminder that while we can disrupt harmful campaigns, the actors behind them will adapt with new technologies. That's why organizations are encouraged to adopt a proactive approach to endpoint security and perform due diligence on the origin and purpose of an email.

HLR also revealed that “Apache Log4j Remote Code Execution (CVE-2021-44228)“ and ”Web Servers Malicious URL Directory Traversal“ were the most exploited vulnerabilities, impacting 46 % of organizations worldwide. ”Zyxel ZyWALL Command Injection (CVE-2023-28771)” followed closely with a global impact of 43 %.

Popular malware families

*The arrows refer to the change in rank compared to the previous month.

FakeUpdates and Formbook were the most common malware last month with an impact on 2 % global organizations, followed by Nanocore with a global effect on 1 %.

  1. ↑ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payload to disk before launching them. FakeUpdates can lead to further compromise via additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
  2. ↓ Formbook – Formbook is an Infostealer targeting Windows OS and was first discovered in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook collects credentials from various browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files as ordered by its C&C.
  3. ↑ Nanocore – Nanocore is a remote access trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT include basic plugins and features such as screenshot capture, cryptocurrency mining, remote desktop control, and webcam session theft.
  4. ↓ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with elevated privileges.
  5. ↑ AsyncRat – AsyncRat is a Trojan that targets the Windows platform. This malware sends information about the targeted system to a remote server. It receives commands from the server to download and run plugins, kill processes, uninstall/update itself, and take screenshots of the infected system.
  6. ↓ AgentTesla – AgentTesla is an advanced RAT that acts as a keylogger and information stealer, that can monitor and collect record the victim's keyboard input, system keyboard, take screenshots, and exfiltrate credentials to a variety of software installed on the victim's computer (including Google Chrome, Mozilla Firefox, and the Microsoft Outlook email client).
  7. ↑ Phorpiex – Phorpiex is a botnet (alias Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns, as well as for running large-scale spam and sextortion campaigns.
  8. ↓ NJRat – NJRat is a remote access Trojan, primarily targeting government agencies and organizations in the Middle East. The Trojan first appeared in 2012 and has several functions: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and spreads via infected USB keys or network drives, supported by Command & Control server software.
  9. ↑ Frame rivet – The Ramnit Trojan is a type of malware that can exfiltrate sensitive data. This type of data can include everything from banking details, FTP passwords, session cookies, and personal data.
  10. ↑ Glupteba – Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. In 2019, it included a C&C address update mechanism through public Bitcoin lists, an integrated browser hijacking capability, and a router exploit.

Top exploited vulnerabilities  

Last month was “Apache Log4j Remote Code Execution (CVE-2021-44228)” and “Web Server's Malicious URL Directory Traversal” the most exploited vulnerabilities, which affected 46 % of organizations globally, followed by “Zyxel ZyWALL Command Injection (CVE-2023) -28771)” with a global effect on 43 % .

  1. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  2. ↔ Web servers malicious URL directory traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,-72501,-72501,CVE-72541,- CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2602,CVE-2602 ) A directory traversal vulnerability exists in various web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation could allow unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
  3. ↔ Zyxel ZyWALL Command Injection (CVE-2023-28771) – There is a command injection vulnerability in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands on the affected system.
  4. Command Injection over HTTP (CVE-2021-43936, CVE-2022-24086) – A command injection vulnerability over HTTP has been reported. A remote attacker could exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the targeted computer.
  5. ↑ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker could exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
  6. MVPower CCTV DVR Remote Code Execution (CVE-2016-20016)- A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  7. ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in the WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability could allow remote attackers to obtain sensitive information and gain unauthorized access to the affected system.
  8. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346) – OpenSSL TLS DTLS Heartbeat Information Disclosure An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error in the handling of TLS/DTLS heartbeat packets. An attacker could exploit this vulnerability to disclose the memory contents of a connected client or server.
  9. ↓ HTTP Headers Remote Code Execution HTTP headers allow the client and server to send additional information with an HTTP request. A remote attacker could use a vulnerable HTTP header to execute arbitrary code on the victim's computer.
  10. D-Link Multiple Products Remote Code Execution (CVE-2015-2051) – A remote code execution vulnerability exists in several D-Link products. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Top mobile malware

Last month remained Anubis in first place as the most common mobile malware, followed by AhMyth and Hidden .

  1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was first discovered, it has gained additional features including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities, and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
  2. AhMyth – AhMyth is a Remote Access Trojan (RAT) which was discovered 2017. It is distributed via Android apps found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS, and activating the camera, which are commonly used to steal sensitive information.
  3. Hidden – Hiddad is a malware for Android that repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also access important security features built into the operating system.

Top attacked industries globally

Last month, education/research remained the most targeted industry globally, followed by communications and government/military.

  1. Education/Research
  2. Communications
  3. Government/Military

Check Points Global The Threat Impact Index and its ThreatCloud map are powered by Check Point ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, across networks, endpoints, and mobile. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, Check Point Software Technologies intelligence and research arm.

Stay up to date with the most important news

By pressing the Subscribe button, you confirm that you have read and agree to our privacy policy and terms of use
Advertisement