Shulou(Shulou.com)11/24 Report--

Check Point Research reported that NJRat rose four places to second place last month. At the same time, researchers have discovered a new malicious spam attack involving AgentTesla, the sixth most commonly used malware that spreads through infected file attachments

In November 2023, Check Point ®Software Technology Co., Ltd. (NASDAQ: CHKP), the world's leading provider of cyber security solutions, released its October 2023 Global threat Index report. Last month, the remote access Trojan Horse (RAT), which is mainly aimed at government agencies and civil society organizations in specific regions, jumped from sixth to second place, rising four places. At the same time, researchers reported a new type of malicious spam attack involving advanced RAT AgentTesla, with the education industry still the primary target.

Last month, AgentTesla was found to be spread through an archive file containing a malicious Microsoft Compiled HTML Help (.CHM) extension. These files are emailed as .GZ or .zip attachments with filenames related to recent orders and shipments-such as po-#.gz/ shipping documents.gz, intended to entice the target to download malware. After installation, AgentTesla can perform keyloggings, capture clipboard data, access the file system, and secretly transfer the stolen data to the command and control (Clipc) server.

Maya Horowitz, vice president of research at Check Point Software Technology, said: "We should not take it lightly for hackers to spread malware by pretending to be familiar brands or sending malicious documents by email. With the advent of the November online shopping season, users must remain vigilant and keep in mind that cyber criminals are waiting for opportunities while paying attention to online shopping and distribution."

CPR also noted that "Zyxel ZyWALL command injection (CVE-2023-28771)" was the most frequently exploited vulnerability, which affected 42 per cent of the world's institutions, followed by "HTTP payload command line injection", which affected 42 per cent of the world's institutions. "Web server malicious URL directory traversal vulnerability" is the third most frequently exploited vulnerability, with a global impact of 42 per cent.

Number one malware family

* the arrow indicates the change in ranking compared to last month.

Formbook was the most rampant malware last month, affecting 3 per cent of organizations worldwide, followed by NJRat and Remcos, each affecting 2 per cent of organizations.

1. Formbook-Formbook is an information theft program for the Windows operating system, which was first discovered in 2016. Because of its powerful circumvention technology and relatively low price, it is sold as a malware as a service (MaaS) in underground hacker forums. FormBook can obtain credentials from various Web browsers, collect screenshots, monitor and record the number of keystrokes, and download and execute files according to its clockC commands.

2. ↑ NJRat-NJRat is a remote access Trojan, mainly aimed at government agencies and non-governmental organizations in specific areas. The Trojan, which first appeared in 2012, has several functions: capturing keystroke records, accessing the victim's camera, stealing credentials stored in the browser, uploading and downloading files, manipulating processes and files, and viewing the victim's desktop. NJRat infects victim devices through phishing attacks and stowaway downloads and spreads through infected USB keys or network disks with the support of command and control server software.

3. ↓ Remcos-Remcos is a remote access Trojan horse that first appeared in 2016. Remcos spreads itself through malicious Microsoft Office documents that accompany spam emails and is designed to bypass Microsoft Windows UAC security and execute malware with advanced privileges.

The most frequently exploited loophole

1. ↑ Zyxel ZyWALL command injection (CVE-2023-28771)-this is a command injection vulnerability that exists in Zyxel ZyWALL. A remote attacker can exploit this vulnerability to execute arbitrary operating system commands on the affected system.

2. HTTP payload command line injection (CVE-2021-43936 HTTP payload command line injection)-A HTTP payload command line injection vulnerability has been found. A remote attacker can exploit this vulnerability by sending a specially crafted request to the victim. An attacker can use this vulnerability to execute arbitrary code on the target computer.

3. ↓ Web server malicious URL directory traversal vulnerabilities (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,3949,CVE-2019-18952, CVE-2020-5410, CVE-2020-8260)-Directory traversal vulnerabilities exist on different Web servers. The flaw is due to an input validation error in the Web server, which does not properly clean up URL for directory traversal mode. An unauthenticated remote attacker can exploit the vulnerability to disclose or access arbitrary files on a vulnerable server.

Major mobile malware

Last month, Anubis still topped the list of the most rampant mobile malware, followed by AhMyth and Hiddad.

1. Anubis-Anubis is a kind of bank Trojan malware designed for Android mobile phones. Since it was initially detected, it has some additional functions, including remote access Trojan (RAT) function, keylogger, recording function and various blackmail software features. The bank Trojan has been detected in hundreds of different apps offered by the Google Store.

2. AhMyth-AhMyth is a remote access Trojan horse (RAT) that was discovered in 2017 and can be spread through Android apps on app stores and various websites. When users install these infected applications, the malware can collect sensitive information from the device and perform operations such as keyloggings, screenshots, sending text messages and activating cameras, which are often used to steal sensitive information.

3. Hiddad-Hiddad is Android malware that can repackage legitimate applications and publish them to third-party stores. Its main function is to display ads, but it also has access to key security details built into the operating system.

Check Point's Global threat impact Index and its ThreatCloud Roadmap are based on Check Point ThreatCloud intelligence data. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors deployed on global networks, endpoints and mobile devices. This intelligence is further enriched by exclusive research data from the AI engine and Check Point Research, the intelligence and research division of Check Point Software Technologies.

For a complete list of the top 10 malware families in October, visit the Check Point blog.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.