Check Point’s Threat Index highlights a shift in the Ransomware-as-a-Service (RaaS) landscape, with RansomHub surpassing LockBit3 to take top stop as the most prevalent group. Meanwhile, researchers identified a BadSpace Windows backdoor campaign spread via fake browser updates
Our latest Global Threat Index for June 2024 noted a shift in the Ransomware-as-a-Service (RaaS) landscape, with relative newcomer RansomHub unseating LockBit3 to become the most prevalent group according to publicized shame sites. Meanwhile, a Windows backdoor dubbed BadSpace was identified, involving infected WordPress websites and fake browser updates.
Last month, RansomHub became the most prevalent RaaS group after law enforcement action against LockBit3 in February caused it to lose loyalty among its affiliates. As a result, LockBit3 reported a record low of only 27 victims in April, followed by an unexplained high number in May of more than 170, and less than 20 in June, signaling its potential decline.
Many LockBit3 affiliates now use encryptors of other RaaS groups, leading to increased reports of victims by other threat actors. RansomHub, which first emerged in February 2024 and is reportedly a reincarnation of the Knight ransomware, saw a significant rise in June with nearly 80 new victims. Notably, only 25% of its published victims are from the USA, with significant numbers from Brazil, Italy, Spain, and the UK.
In other developments, researchers highlighted a recent FakeUpdates campaign (also known as SocGholish), which ranked as the most prevalent malware, now delivering a new backdoor called BadSpace. The proliferation of FakeUpdates has been facilitated through a third-party affiliate network, which redirects traffic from compromised websites to FakeUpdates landing pages. These pages then prompt users to download what appears to be a browser update. However, this download actually contains a JScript-based loader that subsequently downloads and executes the BadSpace backdoor. BadSpace employs sophisticated obfuscation and anti-sandbox techniques to avoid detection and maintains persistence through scheduled tasks. Its command-and-control communication is encrypted, making it difficult to intercept.
It appears that actions against LockBit3 have had the desired impact. However, as previously suggested, its decline only makes way for other groups to take control and continue their ransomware campaigns against organizations globally.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
FakeUpdates was the most prevalent malware this month with an impact of 7% worldwide organizations, followed by Androxgh0st with a global impact of 6%, and AgentTesla with a global impact of 3%.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malwares, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- ↓ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
- ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↓ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
- ↓ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
- ↑ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged in 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
- ↓ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
- ↓ Glupteba – Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
Top exploited vulnerabilities
- ↑ Check Point VPN Information Disclosure (CVE-2024-24919) – An information disclosure vulnerability was discovered in Check Point VPN. The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled.
- ↔ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↑ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↑ Apache HTTP Server Directory Traversal (CVE-2021-41773) – A directory traversal vulnerability exists in Apache HTTP Server. Successful exploitation of this vulnerability could allow an attacker to access arbitrary files on the affected system.
- ↑ TP-Link Archer AX21 Command Injection (CVE-2023-1389) – A command injection vulnerability exists in TP-Link Archer AX21. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
- ↓ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ Dasan GPON Router Authentication Bypass (CVE-2024-3273) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
- ↔ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016) – A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↑ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
- ↓ D-Link Multiple Products Command Injection (CVE-2024-3272) – A command injection vulnerability exists in multiple D-Link products. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.
Top Mobile Malwares
Last month Joker was in first place as the most prevalent Mobile malware, followed by Anubis and AhMyth.
- ↑ Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.
- ↓ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- ↓ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
Top-Attacked Industries Globally
Last month, Education/Research remained in first place in the most attacked industries globally, followed by Government/Military and Healthcare.
- Education/Research
- Government/Military
- Healthcare
Top Ransomware Groups
The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. RansomHub was the most prevalent ransomware group last month, responsible for 21% of the published attacks, followed by Play with 8% and Akira with 5%.
- RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
- Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
- Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “.akira” extension to file names, then presents a ransom note demanding payment for decryption.