Top Malware July 2023: Hackers target German utilities and transport companies

August 28, 2023

Check Point security researchers also point out that information theft is top of mind in Germany

Check Point® Software Technologies Ltd (NASDAQ: CHKP) has released its Global Threat Index for July 2023.

The top 3 of the most attacked industries in Germany has completely changed compared to June: Utilities were in first place in July, followed by transport and software providers.

Formbook landed in first place again this month. The infostealer is thus ahead of Guloader, which maintains second place. Qbot fell from first place in the previous month to third place in July. This puts three types of malware at the top that are primarily designed to steal information.

“This time of year is tailor-made for hackers. While many take advantage of the holidays, organisations have to cope with reduced or changed staffing, which can affect their ability to monitor threats and mitigate risks,” said Maya Horowitz, VP Research at Check Point Software Technologies. “Implementing automated and consolidated security processes can help organisations maintain their processes during the holiday season. To complement this, in-depth employee training is recommended.”

Top malware in Germany

*Arrows refer to the change in ranking compared to the previous month.

Formbook was the most prevalent malware last month with a 14 percent impact on German organisations, followed by Guloader with a national impact of 10 percent and Qbot with 5 percent.

1. ↑ Formbook – Formbook is an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed in underground hacking forums as malware as a service (MaaS) because it has strong evasion techniques and a relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files when instructed to do so by its C&C.

2. ↔ Guloader – Guloader is a downloader that has been widely used since December 2019. When it first appeared, GuLoader was used to download Parallax RAT, but has also been used for other remote access Trojans and infiltrators such as Netwire, FormBook and Agent Tesla.

3. ↓ Qbot – Qbot AKA Qakbot is a multi-purpose malware that first appeared in 2008. It is designed to steal a user’s credentials, record keystrokes, steal browser cookies, spy on banking activity, and install additional malware. Qbot is often spread via spam emails and uses multiple anti-VM, anti-debugging and anti-sandbox techniques to make analysis more difficult and evade detection. As of 2022, it is one of the most widely distributed Trojans.

Top 3 vulnerabilities

Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability globally, affecting 49 per cent of organisations worldwide, followed by “Apache Log4j Remote Code Execution” at 45 per cent and “HTTP Headers Remote Code Execution” with a global impact of 42 per cent.

1st ↔ Web Server Malicious URL Directory Traversal – A directory traversal vulnerability exists on several web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitise the URI for the directory traversal patterns. Successful exploitation allows non-authenticated attackers to disclose or access arbitrary files on the vulnerable server.

2 ↔ Apache Log4j Remote Code Execution (CVE-2021-44228) – A vulnerability exists in Apache Log4j allowing remote code execution. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

3 ↔ HTTP Header Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) – HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim machine.

Top malware in Germany

*The arrows refer to the change in ranking compared to the previous month.

Formbook was the most prevalent malware last month with a 14 percent impact on German organisations, followed by Guloader with a national impact of 10 percent and Qbot with 5 percent.

1. ↑ Formbook – Formbook is an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed in underground hacking forums as malware as a service (MaaS) because it has strong evasion techniques and a relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files when instructed to do so by its C&C.

2. ↔ Guloader – Guloader is a downloader that has been widely used since December 2019. When it first appeared, GuLoader was used to download Parallax RAT, but has also been used for other remote access Trojans and infiltrators such as Netwire, FormBook and Agent Tesla.

3. ↓ Qbot – Qbot AKA Qakbot is a multi-purpose malware that first appeared in 2008. It is designed to steal a user’s credentials, record keystrokes, steal browser cookies, spy on banking activity, and install additional malware. Qbot is often spread via spam emails and uses multiple anti-VM, anti-debugging and anti-sandbox techniques to make analysis more difficult and evade detection. As of 2022, it is one of the most widely distributed Trojans.

Top 3 vulnerabilities

Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability globally, affecting 49 per cent of organisations worldwide, followed by “Apache Log4j Remote Code Execution” at 45 per cent and “HTTP Headers Remote Code Execution” with a global impact of 42 per cent.

1st ↔ Web Server Malicious URL Directory Traversal – A directory traversal vulnerability exists on several web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitise the URI for the directory traversal patterns. Successful exploitation allows non-authenticated attackers to disclose or access arbitrary files on the vulnerable server.

2 ↔ Apache Log4j Remote Code Execution (CVE-2021-44228) – A vulnerability exists in Apache Log4j allowing remote code execution. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

3 ↔ HTTP Header Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) – HTTP headers allow the client and server to pass additional information with an HTTP request. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim machine.

Top 3 mobile malware

Last month, Anubis ranked first among the most prevalent mobile malwares, followed by SpinOk and AhMyth.

1. ↑ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since its initial discovery, it has gained additional features including remote access Trojan (RAT), keylogger, audio recording capabilities and various ransomware features. It has been discovered in hundreds of different applications in the Google Store.

2. ↓ SpinOk – SpinOk is an Android software module that works as a spy program. It collects information about files stored on devices and is capable of forwarding them to malicious threat actors. The malicious module was found in more than 100 Android apps and downloaded more than 421,000,000 times by May 2023.

3 ↔ AhMyth – AhMyth is a remote access Trojan (RAT) that was discovered in 2017. It is spread via Android apps that can be found in app stores and on various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages and activating the camera, which is usually used to steal sensitive information.

Top 3 industries and sectors attacked in Germany

1. ↑ Utilities

2. ↑ Transport

3. ↑ Software providers

Check Point’s Global Threat Impact Index and ThreatCloud Map are based on Check Point’s ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development division of Check Point Software Technologies.

For the full list of the top ten malware families in July, visit the Check Point blog.

Related Articles

Infineon: Roadmap for power supply units in AI data centers

Infineon: Roadmap for power supply units in AI data centers

Artificial intelligence leads to increasing energy demand of data centers worldwide Infineon’s new Power Supply Units (PSU) strengthen its leading position in AI power supply based on Si, SiC and GaN Operators of AI data centers benefit from the world's first 12 kW...

SITA unveils latest evolution in total airport management

SITA unveils latest evolution in total airport management

Launch of the new AI-powered platform follows a successful demonstration in 2023 with Canada’s Greater Toronto Airports Authority SITA, a leading technology company in the air transport industry, has launched its trailblazing airport management tool, the SITA Airport...

Share This