October’s Most Wanted Malware: AgentTesla Knocks Formbook off Top Spot and New Text4Shell Vulnerability Disclosed

Check Point Research reports a significant increase in Lokibot attacks in October, taking it to third place for the first time in five months. New vulnerability, Text4Shell, was disclosed for the first time, and AgentTesla took the top spot as the most prevalent malware

Our latest Global Threat Index for October 2022 reports that keylogger AgentTesla has taken first place as the most widespread malware, impacting 7% of organizations worldwide. There was a significant increase in the number of attacks from the infostealer Lokibot, which reached the third spot for the first time in five months. Also, a new vulnerability, Text4Shell, affecting the Apache Commons Text library, was disclosed.

Lokibot is a commodity infostealer that is designed to harvest credentials from a variety of applications including: web browsers, email clients and IT administration tools. As a trojan, its goal is to sneak, undetected onto a system by masquerading as a legitimate program. It can be distributed through phishing emails, malicious websites, SMS, and other messaging platforms. This rise in popularity can be explained by the increase in spam campaigns themed around online inquiries, orders and payment confirmation messages.

October also saw disclosure of a new critical vulnerability, Text4Shell, (CVE-2022-42889). Based on the Apache Commons Text’s functionality, this allows attacks over a network, without the need for any specific privileges or user interaction. Text4shell is reminiscent of the Log4Shell vulnerability, which is still one year on, one of the major threats, ranking at number two in the October list. Although Text4Shell did not make the list of top vulnerabilities exploited this month, it has already impacted over 8% of organizations worldwide and Check Point will continue to monitor its impact.

We saw a lot of change in the rankings this month, with a new set of malware families making up the big three. It is interesting that Lokibot has climbed back to the third spot so quickly, which shows an increasing trend towards phishing attacks. As we head into November, which is a busy buying period, it is important that people remain vigilant and keep an eye out for suspicious emails that could be carrying malicious code. Be aware of signs such as an unfamiliar sender, request for personal information and links. If in doubt, visit websites directly and find the appropriate contact information from verified sources, and make sure you have malware protection installed.

Our research also revealed that “Web Server Exposed Git Repository Information Disclosure” is the most common exploited vulnerability, impacting 43% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution”, with an impact of 41%. October also saw Education/Research remain in first place as the most attacked industry globally.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

AgentTesla was the most widespread malware this month impacting 7% of organizations worldwide, followed by SnakeKeylogger affecting 5% and Lokibot with an impact of 4%.

1. ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer. It is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook).
2. ↑ SnakeKeylogger – SnakeKeylogger is a modular .NET keylogger and credential stealer first spotted in November 2020. Its primary function is to record the user’s keystrokes and transmit collected data to threat actors. It poses a major threat to a user’s online safety as this malware can steal all kinds of sensitive information and is particularly evasive.
3. ↑Lokibot – Lokibot is an Infostealer distributed mainly by phishing emails and is used to steal various data such as email credentials, as well as passwords to Crypto Coin wallets and FTP servers.
4. ↑Icedid – IcedID is a banking Trojan that first emerged in September 2017. It spreads by mail spam campaigns and often uses other malware like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography. It steals user financial data via both redirection attacks (by installing a local proxy to redirect users to fake-cloned sites) and web injection attacks.
5. ↓ XMRig – XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victim’s devices.
6. ↓ Emotet- Emotet is an advanced, self-propagate and modular Trojan. Emotet once used as a banking Trojan, is now also used as a distributer to other malware or malicious campaigns. It uses multiple evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
7. ↓ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
8. ↓ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including for banking applications as well as corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
9. ↓ Vidar- Vidar is an Infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
10. ↔ Remcos– Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.

Top Attacked Industries Globally

This month the Education/Research sector remains in first place as the most attacked industry globally, followed by Government/Military and Healthcare.

1. Education/Research
2. Government/Military
3. Healthcare

Top exploited vulnerabilities

“Web Server Exposed Git Repository Information Disclosure” remained the most commonly exploited vulnerability in October, impacting 43% of organizations globally. This is followed by “Apache Log4j Remote Code Execution” in second place with an impact of 41% and “HTTP Headers Remote Code Execution” taking the third spot with a global impact of 39%.

1. ↔ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow unintentional disclosure of account information.
2. ↔ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
3. ↑ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with a HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim’s machine.
4. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URL for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files.
5. ↓ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
6. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request
7. ↔ PHP Easter Egg Information Disclosure – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
8. ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469)- An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
9. ↔ Dasan GPON Router Authentication Bypass (CVE-2018-10561)- An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
10. ↓ PHPUnit Command Injection (CVE-2017-9841) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.

Top Mobile Malwares

This month, Anubis held onto first place as the most prevalent mobile malware, followed by Hydra and Joker.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger and audio recording capabilities as well as various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. Hydra – Hydra is a banking Trojan designed to steal finance credentials by requesting victims to enable dangerous permissions.
3. Joker – Joker is an Android spyware in Google Play, designed to steal SMS messages, contact lists and device information. The malware can also sign the victim up for paid premium services without their consent or knowledge.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The intelligence and research Arm of Check Point Software Technologies.