Shulou(Shulou.com)11/24 Report--

Check Point Research reported that due to the widespread spread of Trojan installers, remote access Trojan Remcos rose four places, with Anubis mobile malware replacing SpinOk at the top of the list.

In August 2023, Check Point ®Software Technology Co., Ltd. (NASDAQ: CHKP), the world's leading provider of cyber security solutions, released its Global threat Index report for July 2023. Remcos rose to third place last month after attackers created virtual websites to spread malicious downloads carrying remote access Trojans, researchers found. At the same time, the mobile bank Trojan Anubis replaced SpinOk at the top of the mobile malware list, and the education / research industry was the most affected industry.

Remcos is a remote access Trojan that first appeared in 2016 and is often spread through malicious Microsoft documents or downloaders. It was recently discovered in an attack involving Fruity malware downloads designed to trick victims into downloading Fruity downloads and eventually installing remote access Trojans such as Remcos. Remcos is notorious for its ability to remotely access victim systems, steal sensitive information and credentials, and perform malicious activities on users' computers.

"this time of year is the best time for cyber criminals to stir up trouble," said Maya Horowitz, vice president of research at Check Point Software Technology. "as many corporate employees are on vacation and fewer employees are on duty, threat monitoring and risk defense capabilities will be affected accordingly. In addition to enhancing user security awareness, the introduction of automated comprehensive security processes can help companies do a good job in security during peak vacation periods."

CPR also noted that the "Web server malicious URL directory traversal vulnerability" is the most frequently exploited vulnerability, which affects 49 per cent of the world's enterprises, followed by "Apache Log4j remote code execution", which affects 45 per cent of the world's institutions and enterprises, followed by "HTTP header remote code execution", with a global impact of 42 per cent.

Number one malware family

* the arrow indicates the change in ranking compared to last month.

Qbot is the most rampant malware this month, affecting 5 per cent of organizations worldwide, followed by Formbook and Remcos, affecting 4 per cent and 2 per cent of global companies and institutions, respectively.

Qbot-Qbot (aka Qakbot) is multipurpose malware that first appeared in 2008 to steal user credentials, record keystrokes, steal cookie from browsers, monitor users' banking operations, and deploy more malware. Qbot is usually spread through spam, using a variety of anti-VM, anti-debugging and anti-sandboxie means to hinder analysis and evade detection. Since 2022, it has become one of the most rampant Trojans.

↑ Formbook-Formbook is an information theft program aimed at the Windows operating system, which was first discovered in 2016. Because of its powerful circumvention technology and relatively low price, it is sold as a malware as a service (MaaS) in underground hacker forums. Formbook can obtain credentials, collect screenshots, monitor and record keystrokes from a variety of Web browsers, and download and execute files according to its clockC commands.

↑ Remcos-Remcos is a remote access Trojan that first appeared in 2016. Remcos spreads itself through malicious Microsoft Office documents that accompany spam emails and is designed to bypass Microsoft Windows UAC security and execute malware with advanced privileges.

The most frequently exploited loophole

Last month, the "Web server malicious URL directory traversal vulnerability" was the most frequently exploited vulnerability, which affected 49 per cent of organizations worldwide, followed by "Apache Log4j remote code execution", which affected 45 per cent of the world's institutions, followed by "HTTP header remote code execution", with a global impact of 42 per cent.

Web server malicious URL directory traversal vulnerability-a directory traversal vulnerability exists on different Web servers. The flaw is due to an input validation error in the Web server, which does not properly clean up URI for directory traversal mode. An unauthenticated remote attacker can exploit the vulnerability to disclose or access arbitrary files on a vulnerable server.

Apache Log4j remote Code execution (CVE-2021-44228)-A remote code execution vulnerability present in Apache Log4j. A remote attacker can exploit this vulnerability to execute arbitrary code on the affected system.

The HTTP header remote code execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756)-the HTTP header allows the client and server to pass additional information with HTTP requests. A remote attacker could use a vulnerable HTTP header to run arbitrary code on the infected machine.

Major mobile malware

Last month, Anubis topped the list of the most rampant mobile malware, followed by SpinOk and AhMyth.

Anubis-Anubis is a bank Trojan malware designed for Android mobile phones. Since it was initially detected, it has some additional functions, including remote access Trojan (RAT) function, keylogger, recording function and various blackmail software features. The bank Trojan has been detected in hundreds of different apps offered by the Google Store.

SpinOk-SpinOk is an Android software module used as spyware that collects information about files saved on the device and transmits them to the attacker. As of May 2023, the malicious module has been found in more than 100 Android applications, with more than 421 million downloads.

AhMyth-AhMyth is a remote access Trojan horse (RAT) that was discovered in 2017 and can be spread through Android apps on app stores and various websites. When users install these infected applications, the malware can collect sensitive information from the device and perform operations such as keyloggings, screenshots, sending text messages and activating cameras, which are often used to steal sensitive information.

Check Point's Global threat impact Index and its ThreatCloud Roadmap are based on Check Point ThreatCloud intelligence data. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors deployed on global networks, endpoints and mobile devices. This intelligence is further enriched by exclusive research data from the AI engine and Check Point Research, the intelligence and research division of Check Point Software Technologies.

About Check Point Research

Check Point Research can provide leading cyber threat intelligence to Check Point Software customers and the intelligence community as a whole. The Check Point research team is responsible for collecting and analyzing global network attack data stored by ThreatCloud to protect against hackers while ensuring that all Check Point products enjoy the latest protection. In addition, the team, made up of more than 100 analysts and researchers, is able to work with other security vendors, law enforcement agencies and various computer security emergency response teams.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.