July 2021’s Most Wanted Malware: Snake Keylogger Enters Top 10 for First Time

Check Point Research reports that Trickbot is the most prevalent malware for the third month running, while Snake Keylogger enters the index for the first time taking second place

Our latest Global Threat Index for July 2021 has revealed that while Trickbot is still the most prevalent malware, Snake Keylogger, which was first detected in November 2020, has surged into second place following an intense phishing campaign.

Snake Keylogger is a modular .NET keylogger and credential stealer. Its primary function is to record users’ keystrokes on computers or mobile devices, and transmit the collected data to threat actors. In recent weeks, Snake has been growing fast via phishing emails with different themes across all countries and business sectors.

Snake infections pose a major threat to users’ privacy and online safety, as the malware can steal virtually all kinds of sensitive information and it is a particularly evasive and persistent keylogger. There are currently underground hacking forums where the Snake Keylogger is available for purchase, ranging from 25 to 500 dollars depending on the level of service offered.

The worst thing about keylogger attacks is that many people tend to use the same password and username for different accounts, and once one is breached, the cybercriminal gains access to all those that have the same password. To stop them, it is essential to use a unique option for each of the different profiles. To do this, a password manager can be used, which allows both managing and generating different robust access combinations for each service based on the guidelines decided upon.

Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign on (SSO) technologies. Also, when it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services. Keyloggers such as Snake, are often distributed via phishing emails so it’s essential that users know to look out for small discrepancies such as misspellings in links and email addresses and be educated to never click on suspicious links or open any unfamiliar attachments.

CPR also revealed this month that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 44% of organizations worldwide. “MVPower DVR Remote Code Execution” takes third place in the top exploited vulnerabilities list, with a global impact of 42%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.This month, Trickbot is the most popular malware impacting 4% of organizations globally, followed by Snake Keylogger and XMRig, each with a global impact of 3%.

1. ↔ Trickbot – Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns.
2. ↑ Snake Keylogger – Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; its primary functionality is to record users’ keystrokes and transmit collected data to threat actors.
3. ↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
4. ↓ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
5. ↓ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
6. ↔ Ramnit -Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
7. ↑ Tofsee – Tofsee is a backdoor Trojan, operating since at least 2013. Tofsee serves as a multipurpose tool that can conduct DDoS attacks, send spam emails, mine cryptocurrencies, and more.
8. ↓ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
9. ↓ Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.
10. ↔ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.

Top exploited vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 44% of organizations worldwide. “MVPower DVR Remote Code Execution” is in third place in the top exploited vulnerabilities list, with a global impact of 42%.

1. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
2. ↓ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
3. ↓ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
4. ↓ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
5. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160,CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
6. ↑ PHPUnit Command Injection (CVE-2017-9841) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
7. ↔ Command Injection Over HTTP – A command Injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
8. ↓ Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638,CVE-2017-5638,CVE-2019-0230) – A remote code execution vulnerability exists in the Apache Struts2 using Jakarta multipart parser. An attacker could exploit this vulnerability by sending an invalid content-type as part of a file upload request. Successful exploitation could result in execution of arbitrary code on the affected system.
9. ↑ D-LINK Multiple Products Remote Code Execution (CVE-2015-2051) – A remote code execution vulnerability has been reported in multiple D-Link products. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
10. ↓ NoneCMS ThinkPHP Remote Code Execution (CVE-2018-20062) – A remote code execution vulnerability exists in NoneCMS ThinkPHP framework. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Top mobile malwares

This month xHelper takes first place in the most prevalent Mobile malwares, followed by AlienBot and Hiddad.

1. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and can even reinstall itself in the event that it was uninstalled.
2. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
3. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.