Researchers recently identified a spike in Androxgh0st attacks, a Trojan that targets Windows, Mac and Linux platforms, which saw it jump straight into second place in the top malware list. Meanwhile, LockBit3 narrowly remains the top ransomware group, despite a reduction in its prevalence
Our latest Global Threat Index for April 2024 saw researchers revealed a significant increase in the use of Androxgh0st attacks, with the malware being used as a tool for stealing sensitive information using botnets. Meanwhile, LockBit3 remained the most prevalent ransomware group in April, despite a 55% drop in its rate of detection since the beginning of the year, with its worldwide impact reducing from 20% to 9%.
Researchers have been monitoring the activities of the Androxgh0st threat actor since its emergence in December 2022. Exploiting vulnerabilities such as CVE-2021-3129 and CVE-2024-1709, attackers deploy web shells for remote control while focusing on building botnets for credential theft. This was noted in a joint Cybersecurity Advisory (CSA) issued by the FBI and CISA. Notably, this malware operator has been associated with the distribution of Adhublika ransomware. Androxgh0st actors have demonstrated a preference for exploiting vulnerabilities in Laravel applications to loot credentials for cloud-based services like AWS, SendGrid, and Twilio. Recent indications suggest a shift in focus towards constructing botnets for broader system exploitation.
Meanwhile, the Check Point Index highlights insights from “shame sites” run by double-extortion ransomware groups posting victim information to pressure non-paying targets. LockBit3 once again tops the ranking with 9% of published attacks, followed by Play at 7%, and 8Base at 6%. Re-entering the top three, 8Base, recently claimed they had infiltrated the United Nations IT systems and exfiltrated Human resources and procurement information. While LockBit3 remains in first place, the group has experienced several setbacks. In February, the data leak site was seized as part of a multi-agency campaign coined Operation Cronos while this month, the same international law enforcement bodies published new details, identifying 194 affiliates using LockBit3 along with the unmasking and sanctioning of the leader of the group.
Our research has shown that the collective international efforts to disrupt LockBit3 appear to have been successful, reducing its worldwide impact by more than fifty percent since the start of 2024. Regardless of recent positive developments, organizations must continue to prioritize their cybersecurity by being proactive and strengthening network, endpoint, and email security. Implementing multi-layered defenses and establishing robust backup, recovery procedures, and incident response plans is still key to boosting cyber resilience.
Last month, the most exploited vulnerabilities globally were “Command Injection Over HTTP” and “Web Servers Malicious URL Directory Traversal,” impacting 52% of organizations. These were followed by “HTTP Headers Remote Code Execution” with a global impact of 45%
Top malware families
*The arrows relate to the change in rank compared to the previous month.
FakeUpdates was the most prevalent malware last month with an impact of 6% worldwide organizations, followed by Androxgh0st with a global impact of 4%, and Qbot with a global impact of 3%.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ↑ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- ↓ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
- ↓ FormBook – FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↑ CloudEyE – CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims’ computers.
- ↑ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
- ↓ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
- ↔ Nanocore – NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
- ↔ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged in 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
- ↓ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
Top exploited vulnerabilities
Last month, “Command Injection Over HTTP” was the most exploited vulnerability, impacting 52% of organizations globally, followed by “Web Servers Malicious URL Directory Traversal” with 52% and “HTTP Headers Remote Code Execution” with a global impact of 45%.
- ↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↔ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↑ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828,CVE-2020-1375)- HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↓ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.
- ↑ Dasan GPON Router Authentication Bypass (CVE-2012-5469) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
- ↓ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
- ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160,CVE-2014-0346) – OpenSSL TLS DTLS Heartbeat Information Disclosure An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose the memory contents of a connected client or server.
- ↑ D-Link DNS Command Injection (CVE-2024-3273) – A command injection vulnerability exists in D-Link DNS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
- ↑ NETGEAR DGN Command Injection – A command injection vulnerability exists in NETGEAR DGN. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↔ Apache Struts2 Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
Top Mobile Malwares
Last month Anubis in the 1st place in the most prevalent Mobile malware, followed by AhMyth and Hiddad.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
- ↑ Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
Top-Attacked Industries Globally
Last month Education/Research remained in the 1st place in the attacked industries globally, followed by Government/Military and Healthcare.
- Education/Research
- Government/Military
- Healthcare
Top Ransomware Groups
The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. Lockbit3 was the most prevalent ransomware group last month, responsible for 9% of the published attacks, followed by Play with 7% and 8Base with 6%.
- Lockbit3 – LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Despite experiencing significant outages in February 2024 due to law enforcement action, LockBit3 has resumed publishing information about its victims.
- Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
- 8Base – The 8Base threat group is a ransomware gang that has been active since at least March 2022. It gained significant notoriety in mid-2023 due to a notable increase in its activities. This group has been observed using a variety of ransomware variants, with Phobos being a common element. 8Base operates with a level of sophistication, evidenced by their use of advanced techniques in their ransomware. The group’s methods include double extortion tactics.