Last month saw the Remcos Trojan return to the Top 10 list for the first time since December 2022 after it was reported being used by threat actors to target Ukranian government entities through phishing attacks, according to Check Point’s latest Global Threat Index for February.
Meanwhile, Emotet Trojan and Formbook Infostealer climbed the ranking taking second and third place respectively, while Education/Research remained the most targeted industry.
Despite researchers identifying a 44% decrease in the average number of weekly attacks per organisation between October 2022 and February 2023, Ukraine remains a popular target for cybercriminals following the Russian invasion.
In the most recent campaign, attackers impersonated Ukrtelecom JSC in a mass email distribution using a malicious RAR attachment to spread the Remcos Trojan, which has returned to the top malware list for the first time since October 2022. Once installed, the tool opens a backdoor on the compromised system allowing full access to the remote user for activities such as data exfiltration and command execution. The ongoing attacks are believed to be linked to cyberespionage operations due to the behaviour patterns and offensive capabilities of the incidents.
“While there has been a decrease in the number of politically motivated attacks on Ukraine they remain a battleground for cybercriminals,” says Maya Horowitz, vice-president: research at Check Point Software. “Hacktivism has typically been high on the agenda for threat actors since the Russo-Ukrainian war began and most have favoured disruptive attack methods such as DDoS to garner the most publicity.
“However, the latest campaign used a more traditional route of attack, using phishing scams to obtain user information and extract data,” she adds. “It’s important that all organisations and government bodies follow safe security practices when receiving and opening emails. Do not download attachments without scanning the properties first. Avoid clicking on links within the body of the email and check the sender address for any abnormalities such as additional characters or misspellings.”
Check Point also revealed that “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 47% of organisations globally. This was followed by “Web Server Exposed Git Repository Information Disclosure” which impacted 46% of organisations worldwide, while “Apache Log4j Remote Code Execution” is the third most used vulnerability, with a global impact of 45%.
Top malware families
Globally, Qbot was the most prevalent malware last month with an impact of more than 7% on worldwide organisations, followed by Formbook at 5% and Emotet with 4%.
In South Africa, Qbot was the most widespread malware this month impacting 9,22% of organisations in the country, followed by NanoCore with 5,12% and Hiddad with 2,73%.
* Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
* NanoCore – NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
* Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
Top attacked industries
Last month, Education/Research remained the most attacked industry globally, followed by Government/Military and then Healthcare.
Top exploited vulnerabilities
Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 47% of organisations globally. This was followed by “Web Server Exposed Git Repository Information Disclosure” which impacted 46% of organisations worldwide while “Apache Log4j Remote Code Execution” is the third most used vulnerability, with a global impact of 45%.
↑ Web Servers Malicious URL Directory Traversal – There exists a directory traversal vulnerability on different Web servers. The vulnerability is due to an input validation error in a Web server that does not properly sanitise the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
↓ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Top mobile malwares
Last month Anubis remained the most prevalent mobile malware, followed by Hiddad and AhMyth.
* Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities, and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
* Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
* AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera.