Source: Check Point® Software Technologies Ltd.
In its latest Threat Index, Check Point revealed that RansomHub remains the most prevalent Ransomware group. Meanwhile, its researchers have detected a malicious Remcos campaign on Windows that exploits a recent security software update.Unchecked are the Remcos and RansomHub.
ATHENS, 19.08.2024—Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading AI-powered, cloud-delivered cybersecurity platform provider, has released its Global Threat Index for July 2024. Despite a significant decline in June, LockBit rebounded last month to become the second most widespread ransomware group, while RansomHub retained the top spot. Meanwhile, researchers spotted a campaign distributing Remcos malware following a CrowdStrike update issue and a series of new FakeUpdates tactics, again topping the July top malware list.
An issue in the CrowdStrike Falcon sensor for Windows results in cybercriminals distributing a malicious ZIP file named crowdstrike-hotfix.zip. This file contained the HijackLoader, which activated the Remcos malware, which ranked as the seventh most malicious software in July. The campaign targeted businesses using Spanish-language instructions and involved creating fake domains for phishing attacks.
Meanwhile, researchers have revealed several new tactics used by FakeUpdates, which topped the malware rankings for another month. Users visiting exposed websites faced fake browser update prompts, which led to installing remote access Trojans (RATs) such as AsyncRAT, currently ranked ninth in Check Point’s index. Worryingly, cybercriminals have now started exploiting BOINC, a platform intended for volunteer computing, to gain remote control of infected systems.
“The continued persistence and resurgence of ransomware groups like Lockbit and RansomHub highlight cybercriminals’ continued focus on ransomware, a significant, unrelenting challenge for organizations with far-reaching implications for business continuity and data security. The recent exploitation of a security software update to distribute the Remcos malware further highlights the opportunistic nature of cybercriminals to develop Malware, compromising organizations’ defenses. To counter these threats, organizations must adopt a multi-layered security strategy that includes robust endpoint protection, vigilant monitoring, and user education to mitigate the onslaught of these increasingly massive cyberattacks,” said Maya Horowitz, VP of Research at Check Point Software.
Top malware families
*The arrows refer to the change in ranking compared to the previous month.
FakeUpdates was the most prevalent Malware last month, with a 7% impact on global organizations, followed by Androxgh0st with a 5% global impact, and AgentTesla with a 3% global impact.
- ↔ FakeUpdates—FakeUpdates (AKA SocGholish) is a downloader written in JavaScript that writes payloads to disk before launching them. FakeUpdates led to further compromise through several additional Malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For the initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- PHPUnit, Laravel Framework, and Apache Web Server. The Malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for other details.
- ↔ AgentTesla – AgentTesla is an advanced RAT that acts as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input and the keyboard itself, taking screenshots, and extracting credentials to various software installed on the victim’s machine (including Google Chrome, Mozilla Firefox, and the Microsoft Outlook email program);
- ↑ Formbook—Formbook is an infostealer targeting the Windows operating system, first detected in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums for its powerful evasion techniques and relatively low price. FormBook collects credentials from various web browsers, screenshots, monitors, and logs keystrokes and can download and execute files according to commands from its C&C.
- ↓ Qbot – Qbot, AKA Qakbot, is a multipurpose malware that first appeared in 2008. It is designed to steal a user’s credentials, record keystrokes, steal browser cookies, spy on banking activities, and develop additional Malware. It is often distributed via spam email and uses anti-VM, anti-debugging, and anti-sandbox techniques to prevent analysis and avoid detection. Starting in 2022, it emerged as one of the most widespread Trojans.
- ↔ Remcos—Remcos is a RAT that first appeared in 2016. It is distributed via malicious Microsoft Office documents attached to spam emails. Remcos is designed to bypass Microsoft Windows UAC security and run Malware with elevated privileges.
- ↔ Phorpiex—Phorpiex is a botnet known for distributing other malware families through spam campaigns and powering large-scale Sextortion campaigns.
- ↑ Vidar—Vidar is a malware-as-a-service info stealer that was discovered in late 2018. The Malware runs on Windows and can collect sensitive data from browsers and digital wallets. In addition, it is used as a downloader for ransomware.
- ↓ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This Malware sends information about the targeted system to a remote server. It receives commands from the server to download and run plugins, kill processes, uninstall/update itself, and take screenshots of the infected system.
- ↓ NJRat – NJRat is a remote access Trojan, mainly targeting government agencies and organizations in the Middle East. The Trojan first appeared in 2012 and has multiple capabilities: logging keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims through phishing attacks and drive-by downloads and spreads via infected USB keys or network drives, supported by Command & Control server software.
Top exploited vulnerabilities
- ↑ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command injection vulnerability over HTTP has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771( – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary operating system commands on the affected system).
- ↔ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) – HTTP headers allow the client and server to pass additional information with a request HTTP. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim’s machine.
- ↔ Apache HTTP Server Directory Traversal (CVE-2021-41773)—Apache HTTP Server has a directory traversal vulnerability. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.
- ↓ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-0780 7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error in a web server that does not correctly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthorized remote attackers to expose or access arbitrary files on the vulnerable server.
- ↓ TP-Link Archer AX21 Command Injection (CVE-2023-1389)—TP-Link Archer AX21 has a command injection vulnerability. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
- ↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016): The MVPower CCTV DVR has a remote code execution vulnerability. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↓ Dasan GPON Router Authentication Bypass (CVE-2024-3273)—PHPUnit contains a command injection vulnerability. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands on the affected system.
- ↔ PHP Easter Egg Information Disclosure (CVE-2015-2051)—A PHP page information disclosure vulnerability has been reported. The vulnerability is due to a misconfiguration of the web server. A remote attacker could exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
- ↑ NETGEAR DGN Command Injection—NETGEAR DGN has a command injection vulnerability. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Top Mobile Malware
Last month, Joker topped the list of most popular mobile Malware, followed by Anubis and AhMyth.
- ↔ Joker is Android Spyware on Google Play designed to steal SMS messages, contact lists, and device information. In addition, the Malware unknowingly signs the victim up for premium services on advertising websites.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was detected, it has acquired additional features such as Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of apps in the Google Store.
- ↔ AhMyth—AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps found in app stores and various websites. When a user installs one of these infected apps, the Malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is typically used to steal sensitive information.
Top-Attacked Industries Globally
Last month, Education and research remained the most attacked industries globally, followed by Government/Military and Communications.
- Education/Research
- Government/Army
- Communications
Top Ransomware Groups
The data is based on information from so-called “shame sites” that are run by double-extortion ransomware groups and publish information about victims. This month, RansomHub is the most prevalent ransomware group, responsible for 11% of published attacks, followed by Lockbit3 with 8% and Akira with 6%.
- RansomHub—RansomHub is a Ransomware-as-a-Service (RaaS) business that emerged as an upgraded version of the previously known Knight ransomware. It appeared in early 2024 on underground cybercrime forums and quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux, and VMware ESXi environments. This Malware is known for using sophisticated encryption methods.
- Lockbit3—LockBit is ransomware that operates on a RaaS model and was first reported in September 2019. It targets large businesses and government agencies from various countries but does not target individuals in Russia or the Commonwealth of Independent States.
- Akiraa—First reported in early 2023, Akira Ransomware targets Windows and Linux systems. Like Conti v2 ransomware, it uses symmetric encryption with CryptGenRandom() and Chacha 2008 to encrypt files. Akira is distributed through various means, including infected email attachments and exploits on VPN endpoints. After infection, it encrypts data and appends a ‘.akira’ extension to filenames, then presents a ransom note demanding payment for decryption.
Follow Check Point via:
LinkedIn: https://www.linkedin.com/company/check-point-software-technologies
X: https://www.twitter.com/checkpointsw
Facebook: https://www.facebook.com/checkpointsoftware
Blog: https://blog.checkpoint.com
YouTube: https://www.youtube.com/user/CPGlobal