Check Point Research reports that Glupteba returned to the top ten for the first time since July 2022. Qbot replaced Emotet as the most rampant malware in December, and Android malware Hiddad made a comeback
In January 2023, Check Point Software Technologies Inc. (NASDAQ: CHKP), a leading global provider of cybersecurity solutions, released its latest December 2022 Global Threat Index report. Last month, the blockchain-based Trojan botnet Glupteba came on the rise, returning to the top 10 for the first time since July 2022, rising to eighth place. Qbot is a sophisticated Trojan that steals banking credentials and keystrokes, and after its resurgence last month, it replaced Emotet as the most rampant malware, affecting 7% of organizations worldwide. Meanwhile, Android malware Hiddad is making a comeback, and the education industry remains the most affected industry globally.
Although Google successfully wreaked havoc on the Glupteba botnet campaign in December 2021, the botnet has recently rekindled its embers. As a modular malware variant, Glupteba is capable of implementing a variety of nefarious intentions on compromised computers. This botnet is often used as a downloader and dropper for other malware. This means that a Glupteba infection can lead to ransomware infection, data breaches, or other security incidents. Glupteba can also steal user credentials and session cookies from infected machines. This authentication data can be used to gain access to a user's online accounts or other systems, allowing attackers to steal sensitive data or take other actions with those compromised accounts. Finally, the malware is widely used to deploy cryptocurrency mining capabilities to its targets, and covert mining activities can exhaust a computer's resources.
In December, Hiddad entered the top three mobile malware rankings in 2022. Hiddad is an ad-distributing malware that primarily targets Android devices. It is able to repackage legitimate apps and then publish them to third-party stores. Its main function is to display advertisements, but it also has access to key security details built into the operating system.
Maya Horowitz, vice president of research at Check Point Software Technologies, said: "Our latest research shows that malware often masquerades as legitimate software, allowing hackers to access devices through backdoors without raising suspicion. Therefore, you must be careful when downloading any software and apps or clicking on links, no matter how real they may seem. ”
CPR also noted that "Web Server Exposed Git repository information disclosure" was the most commonly exploited vulnerability, affecting 46% of organizations worldwide, followed by "Web Server Malicious URL Directory Traversal Vulnerability", affecting 44% of organizations worldwide. HTTP payload command line injection is the third most commonly exploited vulnerability, with a global reach of 43%.
The number one malware family
* Arrows indicate ranking changes compared to the previous month.
Qbot was the most rampant malware last month, affecting 7% of organizations worldwide, followed by Emotet and XMRig, affecting 4% and 3% of organizations worldwide, respectively.
↑ Qbot - Qbot (aka Qakbot) is a banking Trojan that first appeared in 2008 with the aim of stealing users' banking credentials and keystroke records. Qbot is often spread via spam, employing a variety of anti-VM, anti-debugging, and anti-sandboxing tactics to hinder analysis and evade detection.
Emotet – Emotet is an advanced modular Trojan capable of self-propagation. Emotet has been used as a banking Trojan and more recently as a propagator for other malware or malicious attacks. It uses a variety of methods and evasion techniques to ensure persistence and evade detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
↑ XMRig - XMRig is an open-source CPU mining software for mining the Monero cryptocurrency. Attackers often abuse this open-source software, integrating it into malware to illegally mine on the victim's device.
The most commonly exploited vulnerabilities
In December, "Web Server Exposed Git repository information disclosure" was the most commonly exploited vulnerability, affecting 46% of organizations worldwide, followed by "Web Server Malicious URL Directory Traversal Vulnerability," affecting 44% of organizations worldwide. HTTP payload command line injection is the third most commonly exploited vulnerability, with a global reach of 43%.
↑ Web Server Exposed Git repository information disclosure - An information disclosure vulnerability reported by Git repositories. An attacker who successfully exploited this vulnerability could cause the unintentional disclosure of account information.
↓ Web Server Malicious URL Directory Traversal Vulnerabilities (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) - Directory traversal vulnerability exists on different web servers. The vulnerability is due to an input validation error in the Web server that does not properly sanitize URIs for directory traversal mode. An unauthenticated, remote attacker can exploit to disclose or access arbitrary files on vulnerable servers.
↑ HTTP payload command line injection (CVE-2021-43936, CVE-2022-24086) – An HTTP payload command line injection vulnerability has been identified. A remote attacker could exploit this vulnerability by sending a specially crafted request to the victim. An attacker could use this vulnerability to execute arbitrary code on the target computer.
Mostly mobile malware
Last month, Anubis remained the most rampant mobile malware, followed by Hiddad and AlienBot.
Anubis – Anubis is a banking Trojan malware designed specifically for Android phones. Since its initial discovery, it has added several additional features, including Remote Access Trojan (RAT) functionality, keylogger and recording capabilities, and various ransomware features. The banking Trojan has been detected in hundreds of different apps offered by Google Play.
Hiddad - Hiddad is an Android malware capable of repackaging legitimate apps and then publishing them to third-party stores. Its main function is to display advertisements, but it also has access to key security details built into the operating system.
AlienBot – AlienBot is a banking Trojan for Android that is sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays (to steal credentials), and SMS capture (bypassing 2FA), and can leverage the TeamViewer module to provide additional remote control capabilities.
Check Point's Global Threat Impact Index and its ThreatCloud Roadmap are based on Check Point ThreatCloud intelligence data. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors deployed on networks, endpoints, and mobile devices around the world. This intelligence is further enriched by AI Engine and exclusive research data from Check Point Research, the intelligence and research arm of Check Point Software Technologies.
For a complete list of the top 10 malware families for December, visit the Check Point blog.
About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the intelligence community as a whole. The Check Point research team collects and analyzes global cyberattack data stored by ThreatCloud to protect against hackers while ensuring that all Check Point products enjoy the latest protections. In addition, the team consists of more than 100 analysts and researchers who are able to work with other security vendors, law enforcement, and individual computer security emergency response teams.
About Check Point Software Technologies Inc
Check Point Software Technologies (www.checkpoint.com.cn) is a leading provider of cybersecurity solutions for governments and enterprises worldwide. Check Point Infinity's portfolio of solutions delivers industry-leading catch rates of malware, ransomware, and other threats to protect businesses and public organizations from fifth-generation cyberattacks. Infinity consists of four core pillars that deliver superior security and fifth-generation threat protection across enterprise environments: Check Point Harmony for remote users; Check Point CloudGuard (automatically protect cloud environments); Check Point Quantum (effectively protect network perimeters and data centers); Check Point Horizon, a prevention-centric unified security management and defense platform—all of which is controlled with the industry's most comprehensive, intuitive unified security management. Check Point protects more than 100,000 businesses of all sizes.