September 2024’s Most Wanted Malware: Notable AI-Driven Techniques and Persistent RansomHub Threats

Check Point’s latest threat index emphasizes the shift towards AI-driven malware tactics in the current cyber landscape

Check Point’s Global Threat Index for September 2024 revealed its Global Threat Index for September 2024. The report highlights an interesting trend in the cybersecurity landscape, particularly the emergence of artificial intelligence (AI)-driven malware, alongside the ongoing dominance of ransomware threats.

This month, researchers discovered that threat actors likely used AI to develop a script that delivers AsyncRAT malware, which has now ranked 10th on the most prevalent malware list. The method involved HTML smuggling, where a password-protected ZIP file containing malicious VBScript code was sent to initiate an infection chain on the victim’s device. The well-structured and commented code suggested AI involvement. Once fully executed, AsyncRAT is installed, enabling the attacker to record keystrokes, remotely control the infected device, and deploy additional malware. This discovery highlights a growing trend of cybercriminals with limited technical skills using AI to create malware more easily.

The fact that threat actors have started utilizing generative AI as part of their attack infrastructure highlights the continuous evolution of cyber-attack tactics. Cybercriminals are increasingly leveraging available technologies to enhance their operations, making it essential for organizations to implement proactive security strategies, including advanced prevention methods and comprehensive training for their teams.

This month, Joker continues to be the most prevalent mobile malware, while RansomHub remains the leading ransomware group, both maintaining their positions from the previous month. These findings highlight the persistent threats posed by these malicious entities in the evolving cyber security landscape.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates is the most prevalent malware this month with an impact of 7% worldwide organizations, followed by Androxgh0st with a global impact of 6%, and Formbook with a global impact of 4%.

1. ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
2. ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
3. ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
4. ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
5. ↔  AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
6. ↓ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
7. ↑ Vidar- Vidar is an infostealer malware operating as malware-as-a-service that was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader for ransomware.
8. ↑ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
9. ↑ Glupteba – Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
10. ↑ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.

Top exploited vulnerabilities 

1. ↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
2. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
3. ↔ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827,CVE-2020-10828,CVE-2020-1375) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.

Top Mobile Malwares

This month Joker in the 1^st place in the most prevalent Mobile malware, followed by Anubis and Hiddad.

1. ↔ Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.
2. ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
3. ↑ Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS. 

Top-Attacked Industries Globally

This month Education/Research remained in the 1st place in the attacked industries globally, followed by Government/Military and Healthcare.

1. Education/Research
2. Government/Military
3. Healthcare

Top Ransomware Groups

The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 17% of the published attacks, followed by Play with 10% and Qilin with 5%.

3. RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
4. Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
5. Qilin – Qilin, also referred to as Agenda, is a ransomware-as-a-service criminal operation that collaborates with affiliates to encrypt and exfiltrate data from compromised organizations, subsequently demanding a ransom. This ransomware variant was first detected in July 2022 and is developed in Golang. Agenda is known for targeting large enterprises and high-value organizations, with a particular focus on the healthcare and education sectors. Qilin typically infiltrates victims via phishing emails containing malicious links to establish access to their networks and exfiltrate sensitive information. Once inside, Qilin usually moves laterally through the victim’s infrastructure, seeking critical data to encrypt.