Information thief FormBook has ended a seven-month period of dominance for the Emotet Trojan turned botnetbecoming the most prevalent observed malware in August 2022, according to The latest from Check Point Global Threat Index.
FormBook targets Windows systems and has been around for six years. It is sold as a malware-as-a-service (MaaS) on cybercriminal forums, and is popular for its low cost and advanced evasion capabilities.
Deployed on a target system, it collects credentials from web browsers, collects screenshots, monitors and logs keystrokes, and is capable of downloading and executing files if prompted.
Meanwhile, the Mobile Malware Index saw an evolution last month, with Joker – an Android-based malware that steals SMS messages, contact lists and device information, and enrolls its victims to paid premium services – rising from fifth to third place. widely perceived threat.
“The changes we’re seeing in this month’s index, from Emotet dropping from first to fifth place, to Joker becoming the third most prevalent mobile malware, reflects how quickly the threat landscape can change. “, said Maya Horowitz, vice president of Check Point. research chair.
“This should remind individuals and businesses of the importance of keeping up to date with the latest threats, as it is essential to know how to protect yourself. Threat actors are constantly evolving and the emergence of FormBook shows that we can never be complacent when it comes to security and must take a holistic, prevention-focused approach across networks, endpoints and cloud.
The other most prevalent malware seen in August is Agent Tesla Remote Access Trojan (RAT), which jumped from seventh to second place from July; while XMRig, an open source cryptominerstable in third position.
The rest of the top 10 most viewed malware in August were:
- Guloader, a downloader for a number of Remote Access Trojans (RATs) and information stealers, including FormBook and Agent Tesla;
- NJRat another RAT that primarily targets government agencies and organizations in the Middle East;
- Remcos, a RAT distributed via malicious Microsoft Office attachments and cleverly designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges;
- SnakeKeylogger, a modular .net keylogger first seen in 2020;
- Ramnit, a modular banking Trojan first seen in 2020, capable of stealing account credentials for all services used by its victims;
- And Phorphiex, a long-running botnet that distributes other malware and is a driving force behind multiple large-scale spam and sextortion campaigns.
The top three mobile malware observed during the period were:
- AlienBot, an Android banking trojan sold online as a MaaS, which supports keylogging, credential theft, and multi-factor authentication (MFA) token SMS collection.
- Anubis, another banking Trojan to which other features have been added over time, including RAT functionality, keylogging and audio recording capabilities, and can be found on hundreds of different apps that hide in the Google Store;
- And the Joker spyware mentioned above.
Check Point shared new information on some of the most widely exploited vulnerabilities seen in the wild last month, with CVE-2021-44228, or Log4Shell for the layman, still the most commonly seen vulnerability, affecting 44% of organizations worldwide. the world.
First reported late 2021Log4Shell, which affects Apache Log4j, a component of thousands of software releases, and has been described as a “design failure of catastrophic proportions”.
A reported information disclosure vulnerability in Git Repository was also widely seen in August, the successful exploitation of which could allow inadvertent disclosure of account information, and a series of directory traversal vulnerabilities on various web servers – including some date back to 2010 – which collectively allow unauthenticated actors to disclose or access arbitrary files on a vulnerable server.
It is important to note that the data collected by cybersecurity companies for scheduled reports is usually drawn from proprietary sources and network telemetry. It does not necessarily present an accurate or complete picture of the threat landscape and should be read in conjunction with several other sources.