The Global Threat Index by Check Point for September 2024 shows a trend towards AI-driven malware and confirms the continued dominant threat of ransomware.
In September discovered the security researchersthat hackers allegedly used AI to develop a script that spreads AsyncRAT malware, which now ranks 10th on the global top malware list. The method involved HTML smuggling, sending a password-protected ZIP file containing malicious VBScript code to trigger an infection chain on the victim’s device. The well-structured and commented code suggested AI involvement. Once fully executed, AsyncRAT is installed, allowing the attacker to record keystrokes, remotely control the infected device, and install additional malware. This discovery highlights the growing trend of cybercriminals with limited technical skills using artificial intelligence to more easily create malware.
Top malware in Germany
*The arrows refer to the change in ranking compared to the previous month.
↑ Formbook (21.2%)
FormBook is an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed on underground hacker forums as Malware as a Service (MaaS) because it has strong obfuscation techniques and is relatively inexpensive. FormBook collects login credentials from various web browsers, takes screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C’s instructions.
↔ Androxgh0st (4,6 %)
Androxgh0st is a botnet that targets Windows, Mac and Linux platforms. For the infiltration, Androxgh0st exploits several security vulnerabilities, particularly in PHPUnit, Laravel Framework and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS keys, and the like. It uses Laravel files to collect the required information. There are different variants that search for different information.
↔ FakeUpdates (3,3 %)
Fakeupdates (aka SocGholish) is a downloader written in JavaScript. It writes user data to the hard drive before starting it. FakeUpdates resulted in further system compromise by many additional malicious programs including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.
Top Mobile Malware
↔ Joker
An Android spyware in Google Play that steals SMS messages, contact lists and device information. Additionally, the malware silently signs the victim up for premium services on advertising websites.
↔ Anubis
Anubis is a banking Trojan malware designed for Android mobile phones. Since its discovery, it has gained additional features including Remote Access Trojan (RAT) functionality, a keylogger, audio recording capabilities, and various ransomware capabilities. It has been discovered in hundreds of different applications available on the Google Store.
↑ Hiddad
Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important security details built into the operating system.
Most active ransomware groups
The data is based on findings from ransomware “shame sites,” which are run by extortion groups that use ransomware and publish information about victims. RansomHub is the most widespread ransomware group this month, responsible for 17 percent of published attacks, followed by Play at 10 percent and Qilin at 5 percent.
RansomHub
RansomHub is a ransomware-as-a-service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. RansomHub appeared on underground cybercrime forums in early 2024 and quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux, and especially VMware ESXi environments. This malware is known to use sophisticated encryption methods.
Play
Play Ransomware, also known as PlayCrypt, is a ransomware that first appeared in June 2022. This ransomware has targeted a wide range of enterprises and critical infrastructure across North America, South America, and Europe, affecting approximately 300 facilities as of October 2023. Play Ransomware typically gains access via compromised valid accounts or by exploiting unpatched vulnerabilities such as: B. in Fortinet SSL VPNs, access to networks. Once inside the system, they use techniques such as living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
Do it
Qilin, also known as Agenda, is a ransomware-as-a-service criminal operation that works with partners to encrypt and exfiltrate data from compromised organizations and then demand a ransom. This ransomware variant was first discovered in July 2022 and is developed in Golang. Agenda is known for targeting large companies and high-value organizations, with a focus on the healthcare and education sectors. Qilin typically infiltrates its victims via phishing emails.
Most exploited vulnerabilities
↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086)
A Command Injection over HTTP vulnerability reported. An attacker can exploit this issue remotely by sending a specially crafted request to the victim. Successful exploitation would allow it to execute arbitrary code on the target computer.
↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260)
There is a directory traversal vulnerability on various web servers. The vulnerability is due to an input validation flaw in a web server that does not properly sanitize the URI for the directory traversal patterns. A successful exploitation allows unauthenticated, remote attackers to expose or access arbitrary files on the vulnerable server.
↔ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827,CVE-2020-10828,CVE-2020-1375)
HTTP headers allow the client and server to pass additional information with an HTTP request. An attacker can use a vulnerable HTTP header to execute arbitrary code on the victim’s computer.
