featured 6076

Deleted malware makes a comeback: Most common threats in December 2023

Researchers have detected a resurgence of the Qbot malware, uncovered in phishing attempts targeting the hospitality sector. At the same time, the JavaScript downloader FakeUpdates rose to the top of the list.

In our latest Global Threat Index for December 2023, researchers identified Qbot’s comeback just four months after U.S. and international law enforcement dismantled its infrastructure during Operation Duck Hunt in August 2023. Meanwhile, the JavaScript downloader FakeUpdates climbed to first place, and the education sector remained the most impacted industry worldwide.

Last month, cybercriminals used Qbot in a limited phishing campaign aimed at organizations in the hotel industry. Researchers observed attackers impersonating the IRS and sending malicious emails containing PDF attachments with embedded links to a Microsoft installation executable. When executed, the installer triggered a stealthy Qbot instance that loaded via an embedded Dynamic Link Library (DLL). Before the takedown in August, Qbot dominated threat rankings and was among the top three malware families for ten consecutive months. Although it has not yet reappeared on the list, the coming months will determine whether it regains its former prominence.

software quality.jpg

At the same time, FakeUpdates continued its ascent after resurfacing late in 2023, reaching the top position with a global impact on 2% of organizations. Nanocore retained a top-five spot for the sixth consecutive month and placed third in December. New contributions to the rankings came from Ramnit and Glupteba.

Seeing Qbot active in the wild less than four months after its distribution infrastructure was dismantled serves as a reminder that while disruptive operations can break malicious campaigns, the actors behind them adapt and evolve their techniques. Organizations are therefore encouraged to adopt a preventive approach to endpoint security and to exercise due diligence when assessing the origin and intent of suspicious emails.

The report also revealed that “Apache Log4j Remote Code Execution (CVE-2021-44228)” and “Web Servers Malicious URL Directory Traversal” were the most exploited vulnerabilities, affecting 46% of organizations globally. “Zyxel ZyWALL Command Injection (CVE-2023-28771)” followed closely with a global impact of 43%.

Popular malware families

*Arrows indicate rank change compared to the previous month.

FakeUpdates and Formbook were the most prevalent malware families last month, each impacting 2% of global organizations, followed by Nanocore with a global impact of 1%.

  1. ↑ FakeUpdates – FakeUpdates (also known as SocGholish) is a JavaScript-based downloader. It writes payloads to disk before executing them. FakeUpdates can facilitate further compromise by delivering additional malware such as GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
  2. ↓ Formbook – Formbook is an information-stealing malware targeting Windows, first observed in 2016. Marketed as Malware-as-a-Service (MaaS) in underground forums because of its evasion techniques and low cost, Formbook harvests credentials from multiple browsers, captures screenshots, logs keystrokes and can download and execute files on command from its C2 infrastructure.
  3. ↑ Nanocore – Nanocore is a remote access Trojan (RAT) aimed at Windows systems, first seen in 2013. Variants of the RAT include core plugins and features such as screenshot capture, crypto-mining, remote desktop control and webcam session theft.
  4. ↓ Remcos – Remcos is a RAT that emerged in 2016. It propagates via malicious Microsoft Office documents attached to spam emails and is designed to bypass Windows UAC and execute malware with elevated privileges.
  5. ↑ AsyncRat – AsyncRat is a Trojan for Windows platforms that reports system information to a remote server and accepts commands to download and run plugins, terminate processes, update or uninstall itself, and take screenshots of the infected machine.
  6. ↓ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, able to monitor and collect victim keystrokes, capture screenshots and exfiltrate credentials from a variety of installed applications (including Google Chrome, Mozilla Firefox and Microsoft Outlook).
  7. ↑ Phorpiex – Phorpiex (aka Trik) is a botnet active since 2010 that once controlled over a million infected hosts. It is known for distributing other malware families via spam campaigns and for conducting large-scale spam and sextortion operations.
  8. ↓ NJRat – NJRat is a remote access Trojan that has targeted government entities and organizations in the Middle East. First observed in 2012, it offers keylogging, camera access, credential theft from browsers, file upload/download capabilities, process manipulation and desktop monitoring. NJRat spreads via phishing, drive-by downloads and removable media, supported by C2 server infrastructure.
  9. ↑ Ramnit – Ramnit is a trojan capable of exfiltrating sensitive data, including banking credentials, FTP passwords, session cookies and personal information.
  10. ↑ Glupteba – Glupteba, known since 2011, began as a backdoor and evolved into a botnet. In 2019 it incorporated a C2 address update mechanism using public Bitcoin lists, integrated browser-stealing capabilities and router exploitation modules.

Top exploited vulnerabilities

Last month, Apache Log4j Remote Code Execution (CVE-2021-44228) and Web Servers Malicious URL Directory Traversal were the most exploited vulnerabilities, impacting 46% of organizations globally, followed by Zyxel ZyWALL Command Injection (CVE-2023-28771) with a global effect of 43%.

  1. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability in Apache Log4j. Successful exploitation allows a remote attacker to execute arbitrary code on the affected system.
  2. ↔ Web Servers Malicious URL Directory Traversal (various CVEs) – Directory traversal vulnerabilities in various web servers arise from improper input validation that fails to sanitize URIs containing traversal patterns. Successful exploitation enables unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
  3. ↔ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability in Zyxel ZyWALL. Successful exploitation allows remote attackers to execute arbitrary operating system commands on the affected device.
  4. ↓ Command Injection over HTTP (CVE-2021-43936, CVE-2022-24086) – HTTP-based command injection vulnerabilities allow an attacker to send crafted requests to a target. Successful exploitation enables execution of arbitrary code on the victim machine.
  5. ↑ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability affecting PHP pages, caused by incorrect web server configuration. An attacker can exploit this by sending a crafted URL to an affected PHP page.
  6. ↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016) – A remote code execution vulnerability in MVPower CCTV DVR devices. Successful exploitation permits a remote attacker to execute arbitrary code on the affected system.
  7. ↓ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability in the WordPress portable-phpMyAdmin plugin. Successful exploitation allows remote attackers to obtain sensitive information and gain unauthorized access to affected systems.
  8. ↑ OpenSSL TLS/DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346) – Known as Heartbleed, this information disclosure vulnerability in OpenSSL stems from improper handling of TLS/DTLS heartbeat packets. An attacker can exploit it to reveal memory contents of a connected client or server.
  9. ↓ HTTP Headers Remote Code Execution – Vulnerable HTTP headers can allow a remote attacker to execute arbitrary code on a victim’s machine by abusing how additional header data is processed.
  10. ↑ D-Link Multiple Products Remote Code Execution (CVE-2015-2051) – A remote code execution vulnerability affecting multiple D-Link products. Successful exploitation allows a remote attacker to execute arbitrary code on affected devices.

Top mobile malware

Last month, Anubis remained the most common mobile malware, followed by AhMyth and Hiddad.

  1. Anubis – Anubis is an Android banking Trojan that has expanded to include remote access Trojan (RAT) capabilities, a keylogger, audio recording and various ransomware-like functions. It has been found embedded in hundreds of malicious applications distributed via app stores.
  2. AhMyth – AhMyth is an Android RAT first observed in 2017. Distributed through malicious Android apps hosted on app stores and websites, these apps can exfiltrate sensitive information and perform actions such as keylogging, taking screenshots, sending SMS messages and activating the camera to steal data.
  3. Hiddad – Hiddad is Android malware that repackages legitimate apps and releases them through third-party stores. Its primary goal is ad fraud, but it can also access key system-level information and permissions.

Most attacked industries globally

Last month, education and research remained the most targeted sector worldwide, followed by communications and government/military.

  1. Education/Research
  2. Communications
  3. Government/Military

Check Point’s Global Threat Impact Index and its ThreatCloud map are powered by Check Point’s ThreatCloud intelligence. ThreatCloud delivers real-time threat intelligence from hundreds of millions of sensors around the world across networks, endpoints and mobile devices. This intelligence is enriched by AI-driven engines and exclusive research from Check Point Research, the intelligence and research arm of Check Point Software Technologies.