May 2024’s Most Wanted Malware: Phorpiex Botnet Unleashes Phishing Frenzy While LockBit3 Dominates Once Again
Researchers uncovered a campaign with Phorpiex botnet being used to spread ransomware through millions of phishing emails. Meanwhile, the Lockbit3 Ransomware group has rebounded after a short hiatus accounting for one-third of published ransomware attacks
Our latest Global Threat Index for May 2024 revealed that researchers had uncovered a malspam campaign orchestrated by the Phorpiex botnet. The millions of phishing emails sent contained LockBit Black – based on LockBit3 but unaffiliated with the Ransomware group. In an unrelated development, the actual LockBit3 ransomware-as-a-Service (RaaS) group surged in prevalence after a short hiatus following a global takedown by law enforcement, accounting for 33% of published attacks.
The original operators of the Phorpiex botnet shut down and sold the source code in August 2021. However, by December 2021, Check Point Research (CPR) discovered it had reemerged as a new variant called “Twizt”, operating in a decentralized peer-to-peer model. In April of this year, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) found evidence that Phorpiex botnet, which ranked sixth in last month’s threat index, were being used to send millions of phishing emails as part of a LockBit3 ransomware campaign. These emails carried ZIP attachments that, when the deceptive .doc.scr files within were executed, triggered the ransomware encryption process. The campaign used over 1,500 unique IP addresses, primarily from Kazakhstan, Uzbekistan, Iran, Russia, and China.
Meanwhile, the Check Point Threat Index highlights insights from “shame sites” run by double-extortion ransomware groups posting victim information to pressure non-paying targets. In May, LockBit3 reasserted its dominance, accounting for 33% of published attacks. They were followed by Inc. Ransom with 7% and Play with a detection rate of 5%. Inc. Ransom recently claimed responsibility for a major cyber incident that disrupted public services at Leicester City Council in the UK, allegedly stealing over 3 terabytes of data and causing a widespread system shutdown.
While law enforcement bodies managed to temporarily disrupt the LockBit3 cybergang by exposing one of its leaders and affiliates in addition to releasing over 7,000 LockBit decryption keys, it is still not enough for a complete takedown of the threat. It is not surprising to see them regroup and deploy new tactics to continue in their pursuits. Ransomware is one the most disruptive methods of attack employed by cybercriminals. Once they have infiltrated the network and extracted information, the options are limited for the target, especially if they cannot afford to pay the ransom demands. That is why organizations must be alert to the risks and prioritize preventative measures.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
FakeUpdates was the most prevalent malware last month with an impact of 7% worldwide organizations, followed by Androxgh0st with a global impact of 5%, and Qbot with a global impact of 3%.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
- ↑ CloudEye – CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims’ computers.
- ↑ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
- ↔ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
- ↑ Glupteba – Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public Bitcoin lists, an integral browser stealer capability and a router exploiter.
- ↓ AsyncRat – AsyncRat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
- ↓ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↓ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged in 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
Top exploited vulnerabilities
Last month, “Command Injection Over HTTP” was the most exploited vulnerability, impacting 50% of organizations globally, followed by “Web Servers Malicious URL Directory Traversal” with 47%, followed by “Apache Log4j Remote Code Execution” at 46%.
- ↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↓ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) –HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↑ Apache HTTP Server Directory Traversal (CVE-2021-41773) – A directory traversal vulnerability exists in Apache HTTP Server. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.
- ↑ TP-Link Archer AX21 Command Injection (CVE-2023-1389) – A command injection vulnerability exists in TP-Link Archer AX21. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
- ↑ D-Link Multiple Products Command Injection (CVE-2024-3272) – A command injection vulnerability exists in multiple D-Link products. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
- ↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016) – A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↓ Dasan GPON Router Authentication Bypass (CVE-2024-3273) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
- ↓ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
Top Mobile Malwares
Last month, Anubis was in first place as the most prevalent Mobile malware, followed by AhMyth and Hydra.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
- ↑ Hydra – Hydra is a banking Trojan designed to steal banking credentials by requesting victims to enable dangerous permissions and access each time the enter any banking app.
Top-Attacked Industries Globally
Last month, Education/Research remained in first place in the attacked industries globally, followed by Government/Military and Communications.
- Education/Research
- Government/Military
- Communications
Top Ransomware Groups
The following data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. LockBit3 was the most prevalent ransomware group last month, responsible for 33% of the published attacks, followed by Inc. Ransom with 7% and Play with 5%.
- LockBit3 – LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Despite experiencing significant outages in February 2024 due to law enforcement action, LockBit has resumed publishing information about its victims.
- Inc. Ransom – Inc. Ransom is a ransomware extortion operation that emerged in July 2023, performing spear-phishing attacks and targeting vulnerable services. The group’s main targets are organizations in North America and Europe across multiple sectors including healthcare, education, and government. Inc. ransomware payloads support multiple command-line arguments and uses partial encryption with a multi-threading approach.
- Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.