February 2022’s Most Wanted Malware: Emotet Remains Number One While Trickbot Slips Even Further Down the Index

Check Point Research (CPR) reveals that Emotet is again the most prevalent malware, while Trickbot falls from second place into sixth. Apache Log4j is no longer the most exploited vulnerability but Education/Research is still the most attacked industry.

Our latest Global Threat Index for February 2022 reveals that Emotet is still the most prevalent malware, impacting 5% of organizations worldwide, while Trickbot has slipped even further down the index into sixth place.

Trickbot is a botnet and banking trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread laterally within a network and drop ransomware. During 2021, it appeared at the top of the most prevalent malwares list seven times. During the past few weeks, however, we have seen no new Trickbot campaigns and the malware now ranks sixth in the index. This could be due in part to some Trickbot members joining the Conti ransomware group, as suggested in the recent Conti data leak.

This month, we witnessed cybercriminals taking advantage of the Russia/Ukraine conflict in order to lure people to download malicious attachments, and February’s most prevalent malware, Emotet, has indeed been doing just this, with emails that contain malicious files and the subject “Recall: Ukraine -Russia Military conflict: Welfare of our Ukrainian Crew member”.

Currently we are seeing a number of malwares, including Emotet, take advantage of the public interest around the Russia/Ukraine conflict by creating email campaigns on the topic that lure people into downloading malicious attachments. It’s important to always check that a sender’s email address is authentic, look out for any misspellings in emails and don’t open attachments or click on links unless you are certain that the email is safe.

This month Education/Research continues to be the most attacked industry globally followed by Government/Military and Internet service provider (ISP) / managed service provider (MSP). “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 46% of organizations globally, followed by “Apache Log4j Remote Code Execution” which dropped from first to second place and impacts 44% of organizations worldwide. “HTTP Headers Remote Code Execution” is the third most exploited vulnerability, with a global impact of 41%.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month, Emotet is still the most prevalent malware impacting 5% of organizations worldwide, closely followed by Formbook which is impacting 3% of organizations and Glupteba which is impacting 2%.

  1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  2. ↑ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  3. ↑ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
  4. ↔ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
  5. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
  6. Trickbot Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features, and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  7. ↑ Ramnit -Ramnit is a banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  8. ↑ SnakeKeyloggerSnake is a modular .NET keylogger and credential stealer first spotted in late November 2020. Its primary functionality is to record user’s keystrokes and transmit collected data to the threat actors. Snake infections pose a major threat to users’ privacy and online safety, as the malware can steal virtually all kinds of sensitive information and it is a particularly evasive and persistent keylogger.
  9. ↑ Phorpiex – Phorpiex is a botnet (aka Trik) that has been around since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
  10. ↑ Tofsee – Tofsee is a Trickler that targets the Windows platform. This malware attempts to download and execute additional malicious files on target systems. It may download and display an image file to a user in an effort to hide its true purpose.

Top Attacked Industries Globally

This month Education/Research is the most attacked industry globally, followed by Government/Military and ISP/MSP.

  1. Education/Research
  2. Government/Military
  3. ISP/MSP

Top Exploited Vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 46% of organizations globally, followed by “Apache Log4j Remote Code Execution” which has dropped from first place to second and impacts 44% of organizations worldwide. “HTTP Headers Remote Code Execution” is the third most exploited vulnerability, with a global impact of 41%.

  1. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  2. Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  3. HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with a HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim’s machine.
  4. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  5. Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
  6. ↑ PHP Easter Egg Information Disclosure – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
  7. D-LINK Multiple Products Remote Code Execution (CVE-2015-2051) – A remote code execution vulnerability has been reported in multiple D-Link products. Successful exploitation could lead to arbitrary code execution on the vulnerable device.
  8. ↔ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  9. ↑ Dasan GPON Router Remote Command Injection (CVE-2018-10562) – A remote command execution vulnerability exists in Dasan GPON routers. A remote attacker could exploit this vulnerability by sending a malicious request to the victim. Successful exploitation of this vulnerability can result in the execution of arbitrary code in the context of the target user.
  10. ↑ PHPUnit Command Injection (CVE-2017-9841) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.

Top Mobile Malwares

This month XLoader is the most prevalent mobile malware, followed by xHelper and AlienBot.

  1. XLoader – XLoader is an Android Spyware and banking Trojan developed by the Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android apps to collect personal and financial information.
  2. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstalling itself in case it was uninstalled.
  3. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to firstly inject malicious code into legitimate financial applications then allows the attacker to obtain access to the victims’ accounts, and eventually completely control their device.