Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies has published its latest Global Threat Index for April 2022. Researchers report that.

Emotet, an advanced, self-propagating and modular Trojan, is still the most prevalent malware, impacting 6% of organisations worldwide, according to the Check Point Research (CPR) Global Threat Index for April 2022.

Despite this, there has been movement for all other malwares in the list. Tofsee and Nanocore are out, and have been replaced by Formbook and Lokibot, now the second and sixth most prevalent malwares respectively.

Emotet’s higher score in March (10%) was mainly due to specific Easter themed scams but this month’s decrease could also be explained by Microsoft’s decision to disable specific macros associated with Office files, affecting the way that Emotet is usually delivered. In fact, there are reports that Emotet has a new delivery method; using phishing emails that contain a OneDrive URL.

Emotet has many uses after it succeeds in bypassing a machine’s protections. Due to its sophisticated techniques of propagating and assimilation, Emotet also offers other malwares to cybercriminals on dark web forums including banking trojans, ransomwares, botnets, etc.

As a result, once Emotet finds a breach, the consequences can vary depending on which malware was delivered after the breach was compromised.

Elsewhere in the index, Lokibot, an infostealer, has re-entered the list in sixth place after a high impact spam campaign delivering the malware via xlsx files made to look like legitimate invoices. This, and the rise of Formbook, have had a knock on effect on the position of other malwares with the advanced remote access trojan (RAT) AgentTesla, for example, dropping into third place from second.

At the end of March, critical vulnerabilities were found in Java Spring Framework, known as Spring4Shell, and since then, numerous threat actors have leveraged the threat to spread Mirai, this month’s ninth most prevalent malware.

“With the cyber threat landscape constantly evolving and with large corporations such as Microsoft influencing the parameters in which cybercriminals can operate, threat actors are having to become more creative in how they distribute malware, evident in the new delivery method now being employed by Emotet,” says Maya Horowitz, vice-president: research at Check Point. “In addition, this month we have witnessed the Spring4Shell vulnerability making headlines.

“Although it is not yet in the top ten list of vulnerabilities, it’s worth noting that over 35% of organizations worldwide have already been impacted by this threat in its first month alone, and so we expect to see it rise up the list in the coming months.”

CPR also revealed this month that Education & Research is still the most targeted industry by cybercriminals globally. “Web Server Exposed Git Repository Information Disclosure” is the most exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution”. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” shoots up the index, now in third place with a global impact of 45%.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet is still the most popular malware impacting 6% of organizations worldwide, closely followed by Formbook which impacts 3% of organizations and AgentTesla with a global impact of 2%.

This month in South Africa, Emotet is still the most popular malware impacting 4,12% of organizations in the country, followed by Wacatac at 3,78% and Ramnit at 3,44%.

1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used as a banking Trojan, but recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.

2. ↑ Wacatac – Wactac is a Trojan threat that locks files but doesn’t encrypt files like typical Ransomware. When Wactac infiltrates the user’s system it changes the names of target files by adding a “”.wctw”” extension.The lack of ability to encrypt data makes this threat reversible. Usually, Wactac is proliferated by spam email campaigns and fake software.

3. ↓ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.

Top Attacked Industries Globally

This month ISP/MSP is the most attacked industry in Africa, followed by Communications and Government/Military.

Top Exploited Vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most exploited vulnerability, impacting 46% of organizations globally, closely followed by “Apache Log4j Remote Code Execution” with a global impact of 46%. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” is now in third place in the top exploited vulnerabilities list, with a global impact of 45%.

1. ↑ Web Server Exposed Git Repository Information Disclosure- An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

2. ↓ Apache Log4j Remote Code Execution (CVE-2021-44228)- A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

3. ↑ Apache Struts ParametersInterceptor ClassLoader Security Bypass (CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0114)- A security bypass vulnerability exists in Apache Struts. The vulnerability is due to inadequate validation of data processed by ParametersInterceptor allowing for manipulation of the ClassLoader. A remote attacker could exploit this vulnerability by providing a class parameter in a request.

Top Mobile Malwares

This month AlienBot is the most prevalent mobile malware, followed by FluBot and xHelper.

1. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.

2. FluBot- FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.

3. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself in case it was uninstalled.