April 2024 Top Malware: Androxgh0st Attacks Surge, LockBit3 Downturns

Researchers recently discovered that the Androxgh0st Trojan targeting Windows, Mac, and Linux platforms has skyrocketed, catapulting the Trojan to the second highest number one malware list.

In May 2024, Check Point® Software Technologies Ltd., a leading provider of cloud-based AI cybersecurity platforms, released its April 2024 Global Threat Index report. Last month, researchers found a significant increase in attacks using Androxgh0st, the malware used as a tool to exploit botnets to steal sensitive information. At the same time, LockBit3 remained the most rampant ransomware gang in April, despite a 55% drop in detection rates since the beginning of the year and a global reach of 9% from 20%.

Since the appearance of Androxgh0st in September 2022, researchers have been monitoring the activities of its attackers. Attackers exploit vulnerabilities such as CVE-2021-3129 and CVE-2024-1709 to deploy web shells for remote control while focusing on building botnets to steal credentials. Notably, this malware operating group has been implicated in the spread of the Adhublika Ransomware. Androxgh0st attackers tend to exploit vulnerabilities in Laravel applications to steal credentials from cloud services such as AWS, SendGrid, and Twilio. Recent indications are that they are shifting their focus to building botnets in an attempt to exploit vulnerabilities more broadly.

At the same time, the Check Point Index report aggregates insights gained from 'humiliating websites' operated by double-extortion ransomware gangs. The attackers publish victim information on these websites in order to put pressure on targets that do not pay. LockBit3 is once again in first place, accounting for 9% of published attacks, followed by Play and 8Base with 7% and 6%, respectively. 8Base, which once again jumped into the top three, recently claimed that they had hacked into the UN's IT system and stole HR and procurement information. While LockBit3 is still at the top of the list, the gang has been hit multiple times. In February, the data breach site was shut down in a multi-agency cleanup called Operation Cronos. This month, these international law enforcement agencies unveiled new details, identifying 194 member gangs that used the LockBit3 ransomware and exposing and sanctioning the leaders of the LockBit3 gangs.

Maya Horowitz, Vice President of Research at Check Point Software Technologies, said: "Our research shows that the international community's joint efforts to destroy LockBit3 have been an overall success. Since the beginning of 2024, LockBit3's global reach has been reduced by more than 50%. While the recent crackdown has been positive, organizations must continue to prioritize cybersecurity and take proactive steps to strengthen network, endpoint, and email security. The key to improving cyber resilience remains the implementation of multiple layers of defense and the creation of robust backup and recovery procedures and incident response plans. ”

The number one malware family

* The arrows indicate the change in the ranking compared to the previous month.

FakeUpdates was the most rampant malware last month, affecting 6% of establishments globally, followed by Androxgh0st and Qbot, which affected 4% and 3% of establishments worldwide, respectively.

1. FakeUpdates – FakeUpdates (aka SocGholish) is a downloader written in JavaScript. It writes the payload to disk before it boots it. FakeUpdates is causing further damage through a host of other malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.

2. ↑ Androxgh0st - Androxgh0st is a botnet for Windows, Mac, and Linux platforms. During the initial phase of the infection, Androxgh0st exploited multiple vulnerabilities, specifically those targeting PHPUnit, the Laravel framework, and the Apache web server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS keys, and uses Laravel files to collect the information it needs. It has different variants that scan different information.

3. ↓ Qbot - Qbot (aka Qakbot) is a multi-purpose malware that first emerged in 2008 and is designed to steal user credentials, log keystrokes, steal cookies from browsers, spy on users' banking operations, and deploy more malware. Qbot is typically spread through spam, employing a variety of anti-VM, anti-debugging, and anti-sandboxing tactics to hinder analysis and evade detection. Starting in 2022, it became one of the most rampant Trojans.

Primary mobile malware

上月,Anubis 位居最猖獗的移动恶意软件榜首,其次是 AhMyth 和 Hiddad。

1. Anubis – Anubis is a banking Trojan malware designed specifically for Android phones. Since its initial detection, it has had a number of additional features, including Remote Access Trojan (RAT) capabilities, a keylogger, a recording feature, and various ransomware features. The banking Trojan has been detected in hundreds of different apps offered by Google Play.

2. AhMyth – AhMyth is a Remote Access Trojan (RAT) that was discovered in 2017 and can be spread through Android apps in app stores and various websites. When users install these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, screenshots, sending text messages, and activating the camera, which are often used to steal sensitive information.

3. ↑ Hiddad — Hiddad is an Android malware that enables the repackaging of legitimate apps and then publishing them to third-party stores. Its main function is to display ads, but it also has access to key security details built into the operating system.

The primary ransomware gang data is based on insights gained from ransomware "shaming sites" operated by double-extortion ransomware gangs where attackers publish victim information. Last month, LockBit3 was the most rampant ransomware gang, accounting for 9% of published attacks, followed by Play and 8Base at 7% and 6%, respectively.

1. LockBit3 – LockBit3 is a ransomware that operates in RaaS mode and was first spotted in September 2019. It mainly targets large enterprises and government agencies in various countries and regions. After a lengthy hiatus in February 2024 due to law enforcement actions, LockBit3 has now resumed publishing victim information.

2. Play - The Play ransomware, also known as PlayCrypt, first surfaced in June 2022. The ransomware targeted numerous businesses and critical infrastructure in North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play ransomware typically infiltrates networks through stolen valid accounts or by exploiting unpatched vulnerabilities such as those found in Fortinet SSL VPN. When it succeeds, it employs a variety of tactics, such as ground-off-the-ground attack binaries (LOLBins), to perform tasks such as data exfiltration and credential theft.

3. 8Base – The 8Base threat group is a ransomware gang that has been active since March 2022. In mid-2023, there was a significant increase in the group's attack activity. The 8Base gang has been observed to use multiple ransomware variants, including the commonly used Phobos. 8Base's operations are quite complex, as evidenced by the sophisticated methods they use in ransomware. The gang's extortion tactics include a double-extortion strategy.

About Check Point Software Technologies Ltd

Check Point Software Technologies Limited is a leading provider of cloud-based AI cybersecurity platforms that protect more than 100,000 businesses and organizations worldwide. Check Point leverages powerful AI technology to improve the efficiency and accuracy of cybersecurity protection through the Infinity platform, enabling proactive threat prediction and smarter, faster response with industry-leading catch rates. The comprehensive platform combines cloud-based technologies including Check Point Harmony for workspace security, Check Point CloudGuard for cloud security, Check Point Quantum for network security, and Check Point Infinity Core Services for collaborative security operations and services.

关于 Check Point Research

Check Point Research is able to provide leading cyber threat intelligence to Check Point Software customers and the intelligence community as a whole. Check Point's research team is responsible for collecting and analyzing global cyberattack data stored by ThreatCloud to ensure that all Check Point products have the most up-to-date protections while protecting against hackers. In addition, the team consists of more than 100 analysts and researchers and is able to collaborate with other security vendors, law enforcement, and various computer security emergency response groups.