May 2022’s Most Wanted Malware: Snake Keylogger returns to the index in eighth place following email campaigns delivering the malware via PDF files
Our Global Threat Index for May 2022 reveals that Emotet, an advanced, self-propagating and modular Trojan, is still the most prevalent malware impacting 8% of organizations worldwide, a slight increase from last month as a result of multiple widespread campaigns.
Emotet is an agile malware proving profitable due to its ability to remain undetected. Its persistence also makes it difficult to be removed once a device has been infected, making it the perfect tool in a cybercriminal’s arsenal. Originally a banking trojan, it is often distributed through phishing emails and has the ability to offer other malwares, enhancing its capacity to cause widespread damage.
This month, Snake Keylogger has jumped into eighth place after a long absence from the index. Snake’s main functionality is to record users keystrokes and transmit collected data to threat actors. It is usually spread through emails that include docx or xlsx attachments with malicious macros, however this month researchers reported that Snake Keylogger has been spread via PDF files. This could be due in part to Microsoft blocking by default internet macros in Office, meaning cybercriminals have had to become more creative, exploring new file types such as PDFs. This rare way to spread malware is proving to be quite effective as some people perceive PDFs to be inherently safer than other file types.
As evident with the recent Snake Keylogger campaigns, everything we do online puts us at risk of a cyberattack, and opening a PDF document is no exception. Viruses and malicious executable code can lurk in multimedia content and links, with the malware attack, in this case Snake Keylogger, ready to strike once a user opens the PDF. Therefore, just as we would question the legitimacy of a docx or xlsx email attachment, we must practice the same caution with PDFs too. In today’s landscape it has never been more important for organizations to have a robust email security solution that quarantines and inspects attachments, preventing any malicious files from entering the network in the first place.
Our research also revealed that “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution” which has a global impact of 46 %. “Web Server Exposed Git Repository Information Disclosure” is in third place with a global impact of 45%. The Education & Research sector continues to be the most targeted industry by cybercriminals globally.
Top Malware Families
*The arrows relate to the change in rank compared to the previous month.
This month, Emotet is still the most popular malware with a global impact of 8%, followed by Formbook with an impact of 2% and AgentTesla impacting 2% of organizations worldwide.
- ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used as a banking Trojan, but recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
- ↔ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware-as-a-Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↔ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook.)
- ↑ Lokibot– First identified in February 2016, LokiBot is a commodity infostealer with versions for both the Windows and Android OS. It harvests credentials from a variety of applications, web browsers, email clients and IT administration tools such as PuTTY. LokiBot is sold on hacking forums and it is believed that its source code was leaked, thus allowing numerous variants to appear. Since late 2017, some Android versions of LokiBot include ransomware functionality in addition to their infostealing capabilities.
- ↓ XMRig – XMRig is an open-source CPU mining software used to mine Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
- ↔ Glupteba – Glupteba is a backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
- ↔ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
- ↑ SnakeKeylogger- Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; Its primary functionality is to record users keystrokes and transmit collected data to threat actors. Snake infections pose a major threat to users’ privacy and online safety as the malware can steal virtually all kinds of sensitive information and is a particularly evasive and persistent keylogger.
- ↓ Phorpiex – Phorpiex is a botnet (aka Trik) that has been seen since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
- ↔ Remcos- Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
Top Attacked Industries Globally
This month Education/Research is the most attacked industry globally, followed by Government/Military and Internet Service Providers & Managed Service Providers (ISP & MSP).
- Education & Research
- Government & Military
- Internet Service Providers & Managed Service Providers (ISP & MSP)
Top Exploited Vulnerabilities
This month, “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution” which has a global impact of 46%. “Web Server Exposed Git Repository Information Disclosure” is in third place with a global impact of 45%.
- ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260)- There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↔ Apache Log4j Remote Code Execution (CVE-2021-44228)– A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↓ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- ↑HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756)– HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP header to run arbitrary code on the victim’s machine.
- ↑ MVPower DVR Remote Code Execution– A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
- ↓ Apache Struts ParametersInterceptor ClassLoader Security Bypass (CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0114)– A security bypass vulnerability exists in Apache Struts. The vulnerability is due to inadequate validation of data processed by ParametersInterceptor allowing for manipulation of the ClassLoader. A remote attacker could exploit this vulnerability by providing a class parameter in a request.
- ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469)– An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561)– An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
- ↑ PHP Easter Egg Information Disclosure – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
- ↑ Apache HTTP Server Directory Traversal (CVE-2021-41773)- A directory traversal vulnerability exists in Apache HTTP Server. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.
Top Mobile Malwares
This month AlienBot is the most prevalent Mobile malware, followed by FluBot and xHelper.
- AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
- FluBot – FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list as well as sending SMS messages to other phone numbers.
- xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and reinstalling itself in the case that it was uninstalled.