March 2024’s Most Wanted Malware: Hackers Discover New Infection Chain Method to Deliver Remcos
Researchers have discovered a new method of deploying the Remote Access Trojan (RAT) Remcos, bypassing common security measures to gain unauthorized access to victims’ devices. Meanwhile, Blackbasta entered the top three of the most wanted ransomware groups and Communications jumped into third place in the most exploited industries
Our latest Global Threat Index for March 2024 saw researchers reveal hackers utilizing Virtual Hard Disk (VHD) files to deploy Remote Access Trojan (RAT) Remcos. Meanwhile, Lockbit3 remained the most prevalent ransomware group in March despite the law enforcement takedown in February, although its frequency on the 200 Check Point monitored ransomware “shame sites” reduced from 20% to 12%.
Remcos is a known malware that has been seen in the wild since 2016. This latest campaign bypasses common security measures to give cybercriminals unauthorized access to victims’ devices. Despite its lawful origins to remotely managing Windows systems, cybercriminals soon began to capitalize on the tool’s capacity to infect devices, capture screenshots, log keystrokes and transmit gathered data to designated host servers. Moreover, the RAT has a mass mailer function that can enact distributions campaigns and overall, its various functions can be used to create botnets. Last month, it rose to fourth position on the top malware list from sixth place in February.
The evolution of attack tactics highlights the relentless advancement of cybercriminal strategies. This underscores the need for organizations to prioritize proactive cyber security measures. By staying vigilant, deploying robust endpoint protection, and fostering a culture of cyber security awareness, we can collectively fortify our defenses against evolving cyber threats.
Check Point’s Ransomware Index highlights insights fro ransomware “shame sites” run by double-extortion ransomware groups which posted victim information.Lockbit3 once again tops the ranking with 12% of published attacks, followed by Play at 10%, and Blackbasta at 9%. Entering the top three for the first time, Blackbasta, claimed responsibility for a recent cyberattack on the Scullion Law, a Scottish legal firm.
Last month, the top exploited vulnerability was “Web Servers Malicious URL Directory Traversal” affecting 50% of organizations globally, followed closely by “Command Injection Over HTTP,” with 48% and “HTTP Headers Remote Code Execution” with 43%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
FakeUpdates was the most prevalent malware last month with an impact of 6% on worldwide organizations, followed by Qbot with a global impact of 3%, and Formbook with a global impact of 2%.
- ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
- ↔ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ↑ Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
- ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer which is capable of monitoring and collecting the victim’s keyboard input, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- ↓ AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
- ↑ CloudEyE – CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims’ computers.
- ↓ Nanocore – NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
- ↑ NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan first emerged in 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
- ↓Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
Top exploited vulnerabilities
Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 50% of organizations globally, followed by “Command Injection Over HTTP” with 48% and “HTTP Headers Remote Code Execution” at 43%.
- ↔ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) – There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
- ↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ↑ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) –HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
- ↓ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the affected system.
- ↔ Apache Struts2 Remote Code Execution (CVE-2017-5638) – A remote code execution vulnerability exists in Apache Struts2. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↑ WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access to the affected system.
- ↓ PHP Easter Egg Information Disclosure (CVE-2015-2051) – An information disclosure vulnerability has been reported in the PHP pages. The vulnerability is due to incorrect web server configuration. A remote attacker can exploit this vulnerability by sending a specially crafted URL to an affected PHP page.
- ↑ MVPower CCTV DVR Remote Code Execution (CVE-2016-20016) –A remote code execution vulnerability exists in MVPower CCTV DVR. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
- ↑ Dasan GPON Router Authentication Bypass (CVE-2012-5469) – A command injection vulnerability exists in PHPUnit. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary commands in the affected system.
- ↔ OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability, aka Heartbleed, is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose the memory contents of a connected client or server.
Top Mobile Malwares
Last month Anubis was in first place as the most prevalent Mobile malware, followed by AhMyth and Cerberus.
- ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
- ↑ Cerberus – First seen in the wild in June 2019, Cerberus is a Remote Access Trojan (RAT) with specific banking screen overlay functions for Android devices. Cerberus operates in a Malware as a Service (MaaS) model, taking the place of discontinued bankers like Anubis and Exobot. Its features include SMS control, key-logging, audio recording, location tracker, and more.
Top-Attacked Industries Globally
Last month Education/Research remained first place in the most attacked industries globally, followed by Government/Military and Communications.
- Education/Research
- Government/Military
- Communications
Top Ransomware Groups
This section features information derived from ransomware “shame sites” operated by double-extortion ransomware groups which posted the names and information of victims. The data from these shame sites carries its own biases, but still provides valuable insights into the ransomware ecosystem
Lockbit3 was the most prevalent ransomware group last month, responsible for 12% of the published attacks, followed by Play with 10% and Blackbasta with 9%.
- Lockbit3 – LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Despite experiencing significant outages in February 2024 due to law enforcement action, Lockbit has resumed publishing information about its victims.
- Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
- Blackbasta – BlackBasta ransomware was first observed in 2022 and operates as ransomware-as-a-service (RaaS). The threat actors behind it mostly targets organizations and individuals by exploiting RDP vulnerabilities and phishing emails to deliver the ransomware.