Emotet continued its reign as the most popular malware, impacting 10% of organisations worldwide, double that of February, according to the Global Threat Index for March 2022 from Check Point Research (CPR).

Emotet is an advanced, self-propagating and modular trojan that uses multiple methods for maintaining persistence and evasion techniques to avoid detection. Since its return in November last year and the recent news that Trickbot has shut down, Emotet has been strengthening its position as the most prevalent malware.

This was solidified even further this month as many aggressive email campaigns have been distributing the botnet, including various Easter-themed phishing scams exploiting the buzz of the festivities. These emails were sent to victims all over the world with one such example using the subject “buona pasqua, happy easter” yet attached to the email was a malicious XLS file to deliver Emotet.

This month, Agent Tesla, the advanced RAT functioning as a keylogger and information stealer, is the second most prevalent malware, after appearing fourth in last month’s index. Agent Tesla’s rise is due to several new mal-spam campaigns delivering the RAT via malicious xlsx/pdf files worldwide. Some of these campaigns have leveraged the Russia/Ukraine war to lure victims.

“Technology has advanced in recent years to such a point where cybercriminals are increasingly having to rely on human trust in order to get through to a corporate network,” says Maya Horowitz, vice-president: research at Check Point Software. “By theming their phishing emails around seasonal holidays such as Easter, they are able to exploit the buzz of the festivities and lure victims into downloading malicious attachments that contain malwares such as Emotet.

“In the run up to the Easter weekend, we expect to see more of these scams and urge users to pay close attention, even if the email looks like it’s from a reputable source. Easter isn’t the only public holiday and cybercriminals will continue to deploy the same tactics to inflict harm.

“This month we also observed Apache Log4j becoming the number one most exploited vulnerability again. Even after all the talk about this vulnerability at the end of last year, it is still causing harm months after the initial detection. Organisations need to take immediate action to prevent attacks from happening.”

CPR also revealed this month that the Education/Research is still the number one most attacked industry globally, followed by Government/Military and Internet Service Providers/Managed Service Providers (ISP/MSP). “Web Server Exposed Git Repository Information Disclosure” is now the second most commonly exploited vulnerability, impacting 26% of organizations worldwide, while “Apache Log4j Remote Code Execution” takes the top spot, impacting 33% of organizations. “HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756)” keeps a hold of third place with a global impact of 26%.


Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month, Emotet is still the most popular malware globally with a global impact of 10% of organisations worldwide, followed by Agent Tesla and XMRig both impacting 2% of organisations each.

In South Africa, Phorpiex is still the most popular malware with a country impact of 3.17% affecting organisations in the country, followed by Ramnit and Emotet both impacting 2.86% of organisations each.

  1. ↔ Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
  2. ↑ Ramnit– Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
  3. ↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan, and currently distributes other malware or malicious campaigns. Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection and can be spread via phishing spam emails containing malicious attachments or links.


Top Attacked Industries Globally

This month ISP/MSP is the number one most attacked industry in Africa, followed by Communications and Government/Military.

  1. ISP/MSP
  2. Communications
  3. Government/Military


Top Exploited Vulnerabilities

This month “Apache Log4j Remote Code Execution” is the most commonly exploited vulnerability, impacting 33% of organizations globally, followed by “Web Server Exposed Git Repository Information Disclosure” which dropped from first place to second place and impacts 26% of organizations worldwide. “HTTP Headers Remote Code Execution” is still in third place in the top exploited vulnerabilities list, with a global impact of 26%.

  1. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  2. Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  3. HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.


Top Mobile Malwares

This month AlienBot is the most prevalent mobile malware, followed by xHelper and FluBot.

  1. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
  2. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself if uninstalled.
  3. FluBot– FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading contact lists, as well as sending SMS messages to other phone numbers.