February 2024’s Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign

Researchers uncovered a new campaign with FakeUpdates, also known as SocGolish, targeting and compromising WordPress websites with hacked admin accounts. Meanwhile, Play entered the top three of most wanted ransomware groups and education remained the most attacked sector worldwide

Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to infiltrate websites by utilizing altered editions of authentic WordPress plugins, and tricking individuals into downloading a Remote Access Trojan. Meanwhile, even following its takedown towards the end of February, Lockbit3 remained the most prevalent ransomware group, responsible for 20% of published attacks, and education continued to be the most impacted industry worldwide.

FakeUpdates, also known as SocGholish, has been operational since at least 2017, and uses JavaScript malware to target websites, especially those with content management systems. Often ranked the most prevalent malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malicious software and despite efforts to stop it, it remains a significant threat to website security and user data. This sophisticated malware variant has previously been associated with the Russian cybercrime group known as Evil Corp. Due to its downloader functionality, it is believed that the group monetizes the malware by selling access to the systems that it infects, leading to other malware infections if the group provides access to multiple customers.

Websites are the digital storefronts of our world, crucial for communication, commerce, and connection. Defending them from cyberthreats isn’t just about safeguarding code; it is about protecting our online presence and the essential functions of our interconnected society. If cybercriminals choose to use them as a vehicle to covertly spread malware, that could impact future revenue generation and the reputation of an organization. It is vital to put preventative measures in and adopt a culture of zero tolerance to ensure absolute protection from threats.

Check Point’s threat index also includes insights from around 200 ransomware “shame sites” run by double-extortion ransomware groups, 68 of which posted victim information this year to pressure non-paying targets. Lockbit3 once again took the lead last month accounting for 20% of those incidents reported, followed by Play at 8%, and 8base at 7%. Entering the top three for the first time, Play, claimed responsibility for a recent cyberattack on the city of Oakland.

Last month, the most exploited vulnerability was “Web Servers Malicious URL Directory Traversal,” impacting 51% of organizations globally, followed by “Command Injection Over HTTP,” and “Zyxel ZyWALL Command Injection” with 50% respectively.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates was the most prevalent malware last month with an impact of 5% worldwide organizations, followed by Qbot with a global impact of 3%, and Formbook with a global impact of 2%.

1. ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
2. ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
3. ↔ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
4. ↑ AsyncRat – AsyncRat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
5. ↓ Nanocore – Nanocore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
6. ↔ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
7. ↑ Tofsee – Tofsee is a Trickler that targets the Windows platform. This malware attempts to download and execute additional malicious files on target systems. It may download and display an image file to a user to hide its true purpose.
8. ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer which is capable of monitoring and collecting the victim’s keyboard input, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
9. ↓ Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
10. ↑ CloudEye – CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims’ computers.

Top exploited vulnerabilities 

Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 51% of organizations globally, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection” with a global impact of 50% respectively.

1. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – There is a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
2. ↓ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
3. ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
4. ↓ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375)-HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
5. ↑ Apache Struts2 Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
6. ↑ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
7. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
8. ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access to the affected system.
9. ↑ D-Link Multiple Products Remote Code Execution (CVE-2015-2051) – A remote code execution vulnerability exists in multiple D-Link products. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
10. ↑ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose the memory contents of a connected client or server.

Top Mobile Malwares

Last month Anubis remained in first place as the most prevalent Mobile malware, followed by AhMyth and Hydra.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
3. Hydra – Hydra, a banking trojan that targets Android devices, was first discovered in 2019. By tricking users into enabling dangerous permissions on the mobile device, Hydra steals finance credentials.

Top-Attacked Industries Globally

This month Education/Research remained in the 1st place in the attacked industries globally, followed by Government/Military and Healthcare.

1. Education/Research
2. Government/Military
3. Healthcare

Top Ransomware Groups
This section features information derived from almost 200 ransomware “shame sites” operated by double-extortion ransomware groups, 68 of which posted the names and information of victims this year. Cybercriminals use these sites to amplify pressure on victims who do not pay the ransom immediately. The data from these shame sites carries its own biases but still provides valuable insights into the ransomware ecosystem, which is currently the number one risk to businesses.

Lockbit3 is the most prevalent ransomware group this month, responsible for 20% of the published attacks, followed by Play with 8%, and 8base with 7%.

1. Lockbit3 – LockBit3 is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
2. Play – Play is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.
3. 8base – The 8Base threat group is a ransomware gang that has been active since at least March 2022. It gained significant notoriety in mid-2023 due to a notable increase in its activities. This group has been observed using a variety of ransomware variants, with Phobos being a common element. 8Base operates with a level of sophistication, evidenced by their use of advanced techniques in their ransomware. The group’s methods include double extortion tactics.