Shulou(Shulou.com)11/24 Report--

After Qbot was banned in August, Formbook became the most rampant malware

In October 2023, Check Point ®Software Technology Co., Ltd. (Nasdaq: CHKP), the world's leading provider of cyber security solutions, released its September 2023 Global threat Index report. Researchers have reported a new covert phishing attack against Colombian companies designed to secretly spread the Remcos remote access Trojan Horse (RAT). At the same time, after Qbot was shut down, Formbook became the most rampant malware, and the education industry remained the primary target.

In September, Check Point Research discovered a large-scale phishing attack on more than 40 well-known companies in various industries in Colombia aimed at secretly installing Remcos RAT on the victim's computer. Remcos, the second most rampant malware in September, is a complex, versatile RAT that takes full control of infected computers and can be used for a variety of attacks. Common consequences of Remcos infection include data theft, subsequent infection and account takeover.

After the Qbot botnet was controlled by law enforcement agencies in August, Qbot fell completely off the top malware list last month. This marks the end of the era of Qbot hegemony. Qbot topped the list of malware for most of 2023.

"this attack found in Colombia gives us a glimpse into the complex escape techniques used by attackers," said Maya Horowitz, vice president of research at Check Point Software Technology. "it also illustrates the intrusive capabilities of these technologies and why we need to use network resilience to prevent all types of attacks."

CPR also noted that the "Web server malicious URL directory traversal vulnerability" was the most frequently exploited vulnerability last month, which affected 47 per cent of organizations worldwide, followed by "HTTP payload command line injection" and "Zyxel ZyWALL command injection", which affected 42 per cent and 39 per cent of global institutions, respectively.

Number one malware family

* the arrow indicates the change in ranking compared to last month.

1. ↑ Formbook-Formbook is an information theft program for the Windows operating system, which was first discovered in 2016. Because of its powerful circumvention technology and relatively low price, it is sold as a malware as a service (MaaS) in underground hacker forums. Formbook can obtain credentials from various Web browsers, collect screenshots, monitor and record the number of keystrokes, and download and execute files according to its clockC commands.

2. ↑ Remcos- Remcos is a remote access Trojan horse (RAT), which first appeared in 2016. Remcos spreads itself through malicious Microsoft Office documents that accompany spam emails and is designed to bypass Microsoft Windows UAC security and execute malware with advanced privileges.

3. ↑ Emotet- Emotet is an advanced modular Trojan that can spread itself. Emotet has been used as a bank Trojan and more recently as a spreader for other malware or malicious attacks. It uses a variety of methods and avoidance techniques to ensure persistence and evade detection. In addition, it can be spread through phishing spam that contains malicious attachments or links.

The most frequently exploited loophole

Last month, the "Web server malicious URL directory traversal vulnerability" was the most frequently exploited vulnerability, which affected 47 per cent of institutions worldwide, followed by "HTTP payload command line injection" and "Zyxel ZyWALL command injection", which affected 42 per cent and 39 per cent of institutions worldwide, respectively.

1. ↑ Web server malicious URL directory traversal vulnerabilities (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530,11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260)-Directory traversal vulnerabilities exist on different Web servers. The flaw is due to an input validation error in the Web server, which does not properly clean up URI for directory traversal mode. An unauthenticated remote attacker can exploit the vulnerability to disclose or access arbitrary files on a vulnerable server.

2.HTTP payload Command Line injection (CVE-2021-43936 CVEMue 2022-24086)-A HTTP payload command line injection vulnerability has been found. A remote attacker can exploit this vulnerability by sending a specially crafted request to the victim. An attacker can use this vulnerability to execute arbitrary code on the target computer.

3. ↑ Zyxel ZyWALL command injection (CVE-2023-28771)-this is a command injection vulnerability that exists in Zyxel ZyWALL. A remote attacker can exploit this vulnerability to execute arbitrary operating system commands on the affected system.

Major mobile malware

Last month, Anubis remained the most rampant mobile malware, followed by AhMyth and SpinOk.

1.Anubis-Anubis is a bank Trojan malware designed for Android mobile phones. Since it was initially detected, it has some additional functions, including remote access Trojan (RAT) function, keylogger, recording function and various blackmail software features. The bank Trojan has been detected in hundreds of different apps offered by the Google Store.

2.AhMyth-AhMyth is a remote access Trojan horse (RAT) that was discovered in 2017 and can be spread through Android apps on app stores and various websites. When users install these infected applications, the malware can collect sensitive information from the device and perform operations such as keyloggings, screenshots, sending text messages and activating cameras, which are often used to steal sensitive information.

3.SpinOk-SpinOk is an Android software module used as spyware that collects information about files saved on the device and transmits them to the attacker. As of May 2023, the malicious module has been found in more than 100 Android applications, with more than 421 million downloads.

Check Point's Global threat impact Index and its ThreatCloud Roadmap are based on Check Point ThreatCloud intelligence data. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors deployed on global networks, endpoints and mobile devices. This intelligence is further enriched by exclusive research data from the AI engine and Check Point Research, the intelligence and research division of Check Point Software Technologies.

For a complete list of the top 10 malware families in September, visit the Check Point blog.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.