Deleted Malware Makes a Comeback – These Are the Most Common Malware in December 2023

Researchers discovered a resurgence of Qbot malware, which was discovered in phishing attempts targeting the hospitality industry. Meanwhile, the FakeUpdates downloader jumped to first place.

Our latest Global Threat Index for December 2023 saw researchers identify the resurgence of Qbot, four months after US and international law enforcement dismantled its infrastructure in Operation Duck Hunt in August 2023. Meanwhile, JavaScript downloader FakeUpdates jumped to first place and education remained the most affected industry Worldwide.

Last month Qbot was used harmful code by cybercriminals as part of a limited phishing attack targeting organizations in the hospitality sector. IN the campaign researchers discovered that hackers impersonated the IRS and sent malicious emails containing PDF attachments with embedded URLs linked to a Microsoft installer. Once activated, this triggered an invisible version of Qbot that exploited an embedded Dynamic Link Library (DLL). Before the takedown in August, Qbot dominated the threat index and was ranked as one of the three most common the malicious programs for 10 consecutive months. Although it has not returned to the list, the coming months will determine whether it will regain the notoriety it once had.

Meanwhile, FakeUpdates continued its rise to the top after re-emerging in late 2023, reaching the top spot with a global impact of 2%. Nanocore also maintained a top five position for six consecutive months, taking third place in December, and there were new entries from Ramnit and Glupteba.

Seeing Qbot in the wild less than four months after its distribution infrastructure was dismantled is a reminder that while we can disrupt harmful campaigns, the actors behind them will adapt with new technology. That's why organizations are encouraged to adopt a proactive approach to endpoint security and perform due diligence on the origin and purpose of an email.

CPR also revealed that “Apache Log4j Remote Code Execution (CVE-2021-44228) and “Web Servers Malicious URL Directory Traversal” were the most exploited vulnerabilities affecting 46 % of organizations worldwide. “Zyxel ZyWALL Command Injection (CVE-2023-28771)” followed closely behind with a global impact of 43 %.

Popular malware families

*The arrows refer to the change in rank compared to the previous month.

FakeUpdates and Form book were the most common malware last month with an impact on 2 % global organizations, followed by Nanocore with a global effect on 1 %.

1. ↑ FakeUpdates – FakeUpdates (AKA SocGholish) is a download tool written in JavaScript. It writes the payload to the disks before booting them. FakeUpdates can lead to further compromises via additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
2. ↓ Formbook - Formbook is an Infostealer that targets Windows OS and was first discovered in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook collects credentials from various browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files as ordered by its C&C.
3. ↑ Nanocore – Nanocore is a remote access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT include basic plugins and features such as screenshot, cryptocurrency mining, remote desktop control, and webcam session theft.
4. ↓ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware using high-level privileges.
5. ↑ AsyncRat – AsyncRat is a Trojan that targets the Windows platform. This malware sends information about the targeted system to a remote server. It receives commands from the server to download and run plugins, kill processes, uninstall/update itself and take screenshots of the infected system.
6. ↓ AgentTesla – AgentTesla is an advanced RAT that acts as a keylogger and information stealer, which can monitor and collect enter the victim's keyboard input, system keyboard, take screenshots, and exfiltrate credentials to a variety of software installed on the victim's computer (including Google Chrome, Mozilla Firefox, and the email client Microsoft Outlook).
7. ↑ Phorpiex - Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known to distribute other malware families via spam campaigns as well as to run large-scale spam and sextortion campaigns.
8. ↓ NJRat - NJRat is a remote access Trojan, which primarily targets government agencies and organizations in the Middle East. The Trojan first appeared in 2012 and has several functions: capture keystrokes, access the victim's camera, steal credentials stored in browsers, upload and download files, perform process and file manipulations, and look at the victim's desktop. NJRat infects victims via phishing attacks and drive-by downloads, and spreads via infected USB keys or network devices, supported by Command & Control server software.
9. ↑ Ramnit – The Ramnit Trojan is a type of malware that can exfiltrate sensitive data. This type of data can include everything from bank details, FTP passwords, session cookies and personal data.
10. ↑ Glupteba - Glupteba has been known since 2011 and is a backdoor that has gradually matured into a botnet. In 2019, it included a C&C address update mechanism through public Bitcoin lists, an integrated browser-stealing capability, and a router exploit.

Top Exploited Vulnerabilities  

Last month was “Apache Log4j Remote Code Execution (CVE-2021-44228)” and “Web Server's Malicious URL Directory Traversal” the most exploited vulnerabilities, which affected 46 % of the organizations globally, followed by “Zyxel ZyWALL Command Injection (CVE-2023) -28771)” with a global effect on 43 % .

1. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
2. ↔ Web servers malicious URL directory traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,-72501,CVE-2014-0780 -72541,- CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2602, CVE-2602 ) A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI of the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to reveal or access arbitrary files on the vulnerable server.
3. ↔ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in the Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands on the affected system.
4. ↓ Command Injection over HTTP (CVE-2021-43936, CVE-2022-24086) - A command injection vulnerability over HTTP has been reported. A remote attacker could exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target computer.
5. ↑ PHP Easter Egg Information Disclosure (CVE-2015-2051) - An information disclosure vulnerability has been reported in PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker could exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
6. ↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016)- A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
7. ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) - An authentication bypass vulnerability exists in the WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access to the affected system.
8. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346) - OpenSSL TLS DTLS Heartbeat Information Disclosure An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error in the handling of TLS/DTLS heartbeat packets. An attacker could exploit this vulnerability to expose the memory contents of a connected client or server.
9. ↓ HTTP Headers Remote code execution – HTTP headers allow the client and server to send additional information with an HTTP request. A remote attacker could use a vulnerable HTTP header to execute arbitrary code on the victim's computer.
10. ↑ D-Link Multiple Products Remote Code Execution (CVE-2015-2051) - A remote code execution vulnerability exists in several D-Link products. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Top malware for mobile

Last month remained Anubis in first place as the most common mobile malware, followed by AhMyth and Hiddad .

1. Anubis - Anubis is a banking Trojan malware designed for Android mobile phones. Since it was first discovered, it has gained additional features including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities, and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. AhMyth – AhMyth is a Remote Access Trojan (RAT) which was discovered 2017. It is distributed through Android apps available on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as key logging, taking screenshots, sending SMS and activating the camera, which are commonly used to steal sensitive information.
3. Hiddad - Hiddad is an Android malware that repackages legitimate apps and then releases them to a third-party store. Its main function is to display advertisements, but it can also access important security features built into the operating system.

Top attacked industries globally

Last month, education/research remained the most targeted industry globally, followed by communications and government/military.

1. Education & Research
2. Communications
3. Government/Military

Check Points Global The Threat Impact Index and its ThreatCloud map are powered by Check Points ThreatCloud -Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, across networks, endpoints and mobile. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point Software Technologies.