November 2022’s Most Wanted Malware: A Month of Comebacks for Trojans as Emotet and Qbot Make an Impact

Check Point Research reports that Emotet has returned after a quiet summer, now the second most prevalent malware globally. Qbot has also made it back into the index for the first time since 2021, while the Education sector remains under attack

Our latest Global Threat Index for November saw the return of Emotet, an ambitious Trojan malware that took a short-lived break over the summer period. Qbot moved into third place for the first time since July 2021, with a global impact of 4%, and there was a notable increase in Raspberry Robin attacks, a sophisticated worm that typically uses malicious USB drives to infect machines.

In July 2022, we reported a significant decrease in Emotet’s global impact and activity, suspecting its absence would only be temporary. As predicted, the self-propagating Trojan malware is now climbing the index again, reaching second place as the most widespread malware in November, with a 4% impact on organizations globally. While Emotet began as a banking trojan, its modular design has allowed it to evolve into a distributor for other types of malwares, and it is commonly spread through phishing campaigns. Emotet’s increased prevalence could be partially contributed to a series of new malspam campaigns launched in November, which are designed to distribute IcedID banking trojan payloads.

Also, for the first time since July 2021, Qbot, a banking Trojan that steals banking credentials and keystrokes, reached the third spot on the top malware list, with a global impact of 4%. Threat actors behind the malware are financially motivated cybercriminals. They steal financial data, banking credentials, and web browser information from infected systems and compromise systems. Once Qbot threat actors succeed in infecting a system, they install a backdoor to grant access to ransomware operators, leading to double extortion attacks. November saw Qbot leveraging a Windows Zero-Day vulnerability to provide threat actors full access to infected networks.

November also saw an increase in Raspberry Robin, a sophisticated worm that uses malicious USB drives that contain Windows shortcut files that appear legitimate but in fact infect a victim’s machines. Microsoft found it had evolved from a widely distributed worm to an infecting platform for distributing malware, linked to other malware families and alternate infection methods beyond its original USB drive spread.

While these sophisticated malwares can lie dormant during quieter periods, the last few weeks act a stark reminder that they will not remain quiet for long. We cannot afford to become complacent, so it’s important that everyone remains vigilant when opening emails, clicking on links, visiting websites or sharing personal information.

Our index also revealed that “Web Servers Malicious URL Directory Traversal” is the most common exploited vulnerability, impacting 46% of organizations globally, closely followed by “Web Server Exposed Git Repository Information Disclosure” with an impact of 45%. November also saw Education/Research remain in first place as the most attacked industry globally.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

AgentTesla remains the most prevalent malware this month with an impact of 6% worldwide organizations, followed by Emotet and Qbot, each one with a global impact of 4%.

1. ↔ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer. It is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook).
2. ↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
3. ↑ Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008, designed to steal a user’s banking credentials and keystrokes. It is often distributed via spam emails and employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
4. ↓ SnakeKeylogger – Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020. Its primary function is to record users keystrokes and transmit collected data to threat actors. Snake infections pose a major threat to user privacy and online safety as it can steal all kinds of sensitive information. It has also proven to be a particularly evasive and persistent keylogger.
5. ↔ XMRig – XMRig is an open-source CPU mining software used to mine Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining.
6. ↑ Formbook – Formbook is an Infostealer targeting Windows OS, that was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums, known for its strong evasion techniques and relatively low price. Formbook can harvest credentials from various web browsers, collect screenshots, monitor and log keystrokes as well as download and execute files according to orders from its C&C.
7. ↓ IcedID – IcedID is a banking Trojan that first emerged in September 2017. It spreads by mail spam campaigns and often uses other malware like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
8. ↔ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank, corporate and social networking accounts. The Trojan uses both hardcoded domains as well as those generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
9. ↑ Raspberry Robin – Raspberry Robin is a worm first discovered in September 2021, distributed via infected USB devices. The malware is using several legitimate window utilities in order to communicate with its C&C servers and execute malicious payloads.
10. ↑ Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.

Top Attacked Industries Globally

This month, Education/Research remains the most attacked industry globally, followed by Government/Military and then Healthcare.

1. Education/Research
2. Government/Military
3. Healthcare

 Top exploited vulnerabilities 

This month, “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations globally, followed by “Web Server Exposed Git Repository Information Disclosure” with an impact of 45%. “HTTP Headers Remote Code Execution” is still the third most used vulnerability with a global impact of 42%.

1. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
2. ↓ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
3. ↔ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and server pass additional information with a HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim’s machine.
4. ↑ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
5. ↑ Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
6. ↔ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

7. ↔ PHP Easter Egg Information Disclosure – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
8. ↔ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
9. ↑ PHPUnit Command Injection (CVE-2017-9841) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
10. ↓ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

Top Mobile Malwares

This month Anubis remains the most prevalent Mobile malware, followed by Hydra and AlienBot.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger and audio recording capabilities as well as various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. Hydra– Hydra is a banking Trojan designed to steal finance credentials by requesting victims to enable dangerous permissions.
3. AlienBot – AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft as well as SMS harvesting for 2FA bypass. Additional remote-control capabilities are provided using a TeamViewer module.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research Arm of Check Point Software Technologies.