Emotet tops February 2022’s most wanted malware

Check Point Global Threat Index for February 2022 has revealed Emotet is again the most prevalent malware, followed by Formbook and Trickbot in second and third place. Apache Log4j is no longer the most exploited vulnerability but education/research is still the most attacked industry globally according to the data from the report.

Trickbot is a botnet and banking trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread laterally within a network and drop ransomware. During 2021, it appeared at the top of the most prevalent malwares list seven times.

During the past few weeks, Check Point researchers have noted no new Trickbot campaigns and the malware now remains in third spot in the index. This could be due in part to some Trickbot members joining the Conti ransomware group, as suggested in the recent Conti data leak.

Check Point researchers witnessed cyber criminals taking advantage of the Russia/Ukraine conflict in order to lure people to download malicious attachments, and February's most prevalent malware, Emotet, has indeed been doing just this, with emails that contain malicious files and the subject "Recall: Ukraine-Russia Military conflict: Welfare of our Ukrainian Crew member."

Currently there are a number of malwares, including Emotet, taking advantage of the public interest around the Russia/Ukraine conflict by creating email campaigns on the topic that lure people into downloading malicious attachments, according to Maya Horowitz, VP research at Check Point Software.

"It's important to always check that a sender's email address is authentic, look out for any misspellings in emails and don’t open attachments or click on links unless you are certain that the email is safe," Horowitz said.

Check Point researchers revealed this month that government/military is the most attacked industry in Australia, followed by Hardware vendors and Education/Research.

Top Malware Families
This month, Emotet is still the most prevalent malware impacting 2.69 per cent of organisations worldwide, closely followed by Formbook which is impacting 2.13 per cent of organisations and Trickbot, which is impacting 1.12 per cent.

VIEW ALL

• Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
• Formbook - Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
• Trickbot - Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader.

Top Attacked Industries Globally
This month education/research is the most attacked industry globally, followed by government/military and ISP/MSP.

• Government/military.
• Hardware vendor.
• Education/research.

Top Exploited Vulnerabilities
This month "Web Server Exposed Git Repository Information Disclosure" is the most commonly exploited vulnerability, impacting 46 per cent of organisations globally, followed by "Apache Log4j Remote Code Execution", which has dropped from first place to second and impacts 44 per cent of organisations worldwide. "HTTP Headers Remote Code Execution" is the third most exploited vulnerability, with a global impact of 41 per cent.

• Web Server Exposed Git Repository Information Disclosure - An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
• Apache Log4j Remote Code Execution (CVE-2021-44228) - A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
• HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) - HTTP headers let the client and the server pass additional information with a HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim’s machine.

Top Mobile Malwares
This month XLoader is the most prevalent mobile malware, followed by xHelper and AlienBot.

• XLoader - XLoader is an Android Spyware and banking Trojan developed by the Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android apps to collect personal and financial information.
• xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstalling itself in case it was uninstalled.
• AlienBot - AlienBot malware family is a malware-as-a-service (MaaS) for Android devices that allows a remote attacker to firstly inject malicious code into legitimate financial applications then allows the attacker to obtain access to the victims' accounts, and eventually completely control their device.

Check Point's Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud is designed to provide real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research arm of Check Point Software Technologies.

[Related: Darktrace bolsters cyber AI platform with new update]

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.