September 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places

Check Point Research reports that the infostealer Vidar has entered the top ten most prevalent malwares list following a fake Zoom campaign. Cyberattacks in Eastern European countries have increased dramatically and Education/Research is the most impacted sector worldwide

Our latest Global Threat Index for September 2022 reveals that while Formbook is still the most prevalent malware, impacting 3% of organizations worldwide, Vidar is now in eighth position, up seven places from August.

Vidar is an infostealer designed to give threat actors backdoor access, enabling them to steal sensitive banking information, login credentials, IP addresses, browser history and crypto wallets from infected devices. The increase in its prevalence follows a malicious campaign whereby fake Zoom websites, such as zoomus[.]website and zoom-download[.]space, were used to lure innocent users into downloading the malware. Formbook, an infostealer targeting Windows OS, remains in first place.

Since the onset of the Russia-Ukraine war, we have continued to monitor the impact on cyberattacks in both countries. While the conflict intensifies, during September we noted a significant change in the ‘threat rank’ of many Eastern European countries. The threat rank represents how much an organization is being attacked in a specific country compared to the rest of the world. In September, Ukraine had jumped 26 places, Poland and Russia moved up 18 places each, and both Lithuania and Romania moved up 17 places, among others. All these countries are now among the top 25, with the biggest degradation in their ranking occurring in the past month.

As the war on the ground continues, so too does the war in cyberspace. It’s likely no coincidence that the threat ranks of these Eastern European countries increased this last month. All organizations are at risk and must shift to a prevent-first cybersecurity strategy before it’s too late. In terms of the most prevalent malwares in September, it’s interesting to see Vidar leap into the top ten after a long absence. Users of Zoom need to stay alert to fraudulent links as this is how the Vidar malware has been distributed lately. Always keep an eye out for inconsistencies or misspelled words in URLs. If it looks suspicious, it probably is.

We also revealed this month that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 43% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution” which dropped from first place to second, with an impact of 42%. Education/Research remains in first place as the most attacked industry globally.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month, Formbook is still the most prevalent malware impacting 3% of organizations worldwide, followed by XMRig and AgentTesla which both impact 2% of organizations globally.

1. ↔ Formbook – FormBook is an Infostealer targeting Windows OS and was first detected in 2016. It is marketed as a Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes and can download and execute files according to orders from its C&C.
2. ↑ XMRig – XMRig is open-source CPU software used to mine Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victim’s devices.
3. ↓ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer. It is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
4. ↑ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and Evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
5. ↑ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
6. ↑ SnakeKeylogger – Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; Its primary functionality is to record users keystrokes and transmit collected data to the threat actors. Snake infections pose a major threat to users’ privacy and online safety, as the malware can steal virtually all kinds of sensitive information and it is a particularly evasive and persistent keylogger.
7. ↑ Phorpiex – Phorpiex is a botnet (aka Trik) has been since 2010 and at its peak controlled more than a million infected hosts. Known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
8. ↑ Vidar – Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
9. ↓ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
10. ↑ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.

Top Attacked Industries Globally

This month the Education/Research sector remains in first place as the most attacked industry globally, followed by Government/Military and Healthcare.

1. Education/Research

1. Government/Military
2. Healthcare

Top Exploited Vulnerabilities

This month, “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 42.7% of organizations globally. It is followed by “Apache Log4j Remote Code Execution” which dropped from first place to second and impacts 42% of organizations. “Command Injection Over HTTP” jumps into third place, with a global impact of 40%.

1. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow unintentional disclosure of account information.
2. ↓ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
3. ↑ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
4. ↔ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
5. ↓ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
6. ↑ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request
7. ↑ PHP Easter Egg Information Disclosure – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
8. ↓ PHPUnit Command Injection (CVE-2017-9841) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
9. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
10. ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

Top Mobile Malwares

This month, Anubis jumped into first place as the most widespread Mobile malware, followed by Hydra and Joker.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger and audio recording capabilities as well as various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. Hydra – Hydra is a banking Trojan designed to steal finance credentials by requesting victims to enable dangerous permissions.
3. Joker – An Android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware can also sign the victim up for paid premium services without their consent or knowledge.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The Intelligence & Research Arm of Check Point Software Technologies.