Top malware in April 2023: Qbot maintains pole position

May 15, 2023

Check Point Research uncovered an extensive malspam campaign for the Qbot Trojan, which ranked second in last month’s threat index. In Germany, retail and wholesale remain the most attacked sectors.

Check Point® Software Technologies Ltd, a leading provider of cybersecurity solutions, has released its Global Threat Index for April 2023.

The Qbot campaign, which emerged last month, uses a new delivery method in which targets are sent an email, along with an attachment, containing protected PDF files. Once downloaded, the Qbot malware is installed on the device. Researchers found that the malspam was sent in multiple languages, meaning organisations around the world could be attacked. Last month also saw the return of Mirai, one of the most popular IoT malwares. Researchers discovered that Mirai exploited a new zero-day vulnerability (CVE-2023-1380) to attack TP-Link routers and add them to its botnet, which has been used for some of the most distributed DDoS attacks ever. This latest campaign follows a comprehensive report by Check Point Research (CPR) on the prevalence of IOT attacks.

There was also a change in the sectors affected by cyber attacks in Germany: although not in first place, as the most attacked sector there remains retail and wholesale. However, ISP/MSP (software service providers) moved up to second place, while healthcare slipped to third place among the most attacked sectors in April. Attacks on healthcare facilities are well documented and some countries continue to be under constant attack. The sector remains a lucrative target for hackers, potentially giving them access to confidential patient data and payment information. This could have implications for pharmaceutical companies as it could lead to leaks of clinical trials or new drugs and devices.

“Cybercriminals are constantly working on new methods to circumvent restrictions, and these campaigns are further evidence of how malware adapts to survive. Qbot’s renewed campaign reminds us of the importance of establishing comprehensive cybersecurity and performing due diligence on an email’s origin and intent,” said Maya Horowitz, VP Research at Check Point Software.

Top malware in Germany

*The arrows refer to the change in ranking compared to the previous month.

1. ↔ Qbot – Qbot, also known as Qakbot, is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking information and keystrokes. Qbot is often spread via spam emails and uses several anti-VM, anti-debugging and anti-sandbox techniques to make it more difficult to analyse.

2. ↑ NanoCore – NanoCore is a remote access Trojan that targets users of Windows operating systems and was first observed in the wild in 2013. All versions of the RAT include basic plugins and features such as screen recording, cryptocurrency mining, remote desktop control and webcam session theft.

3. ↑ AgentTesla – AgentTesla is a sophisticated RAT that acts as a keylogger and password thief and has been active since 2014. AgentTesla can monitor and collect the victim’s keystrokes and clipboard, record screenshots, and exfiltrate credentials for a variety of software installed on the victim’s computer (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.

Top 3 vulnerabilities:

Last month, Web Servers Malicious URL Directory Traversal was the most exploited vulnerability, affecting 48 per cent of organisations globally, followed by Apache Log4j Remote Code Execution at 44 per cent and HTTP Headers Remote Code Execution with a 43 per cent global impact.

↑ Web Servers Malicious URL Directory Traversal – A directory traversal vulnerability exists on several web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitise the URI for directory traversal patterns. Successful exploitation allows non-authenticated attackers to disclose or access arbitrary files on the vulnerable server.

↓ Apache Log4j Remote Code Execution (CVE-2021-44228) – A vulnerability exists in Apache Log4j that allows remote code execution. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

↓ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) – HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim’s machine.

Top 3 mobile malware

Last month, Ahmyth was the most common mobile malware, followed byAnubis and Hiddad.

1st ↔ AhMyth – AhMyth is a remote access Trojan (RAT) that was discovered in 2017. It is spread via Android apps that can be found in app stores and on various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages and activating the camera.

↔ Anubis – Anubis is a banking Trojan designed for Android phones. Since its initial discovery, it has gained additional features, including remote access Trojan (RAT), keylogger and audio recording capabilities, and various ransomware features. It has been detected in hundreds of different applications in the Google Store.

↔ Hiddad – Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important security details of the operating system.

Top 3 industries and sectors attacked in Germany:

1. ↔ Retail/wholesale (Retail/Wholesale).

2. ↑ IT service providers/managed service providers (ISP/MSP)

3. ↓ Education/research (Education/Research)

Check Point’s Global Threat Impact Index and ThreatCloud Map are based on Check Point’sThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development division of Check Point Software Technologies.

Related Articles

ONVIF Launches New Online Learning Initiative

ONVIF Launches New Online Learning Initiative

ONVIF®, global standardization initiative for IP-based physical security products, has released the first course in a new online learning initiative designed to promote greater knowledge and understanding of the workings of ONVIF. The new “Introduction to ONVIF”...

Share This