April 2022’s Most Wanted Malware: A Shake Up in the Index but Emotet is Still on Top

Rhea-AI Summary

Check Point Research has released its Global Threat Index for April 2022, highlighting significant malware activities. Emotet continues to dominate, affecting 6% of organizations, though its impact decreased from 10% in March. Formbook and Lokibot have now emerged as the second and sixth most prevalent malware, respectively. Notably, vulnerabilities like Spring4Shell are making headlines, impacting over 35% of organizations. The Education and Research sector remains the most targeted by cybercriminals.

Positive

• Emotet remains the most prevalent malware, impacting 6% of organizations, indicating robust threat detection capabilities.
• Formbook and Lokibot's rise in the malware index highlights the ongoing evolution of cyber threats, prompting increased awareness and security measures.

Negative

• Emotet's decrease from 10% to 6% indicates changing tactics among cybercriminals, possibly complicating detection efforts.
• Over 35% of organizations have already been impacted by vulnerabilities like Spring4Shell, suggesting a significant risk across the industry.

Check Point Research reports that April has seen a lot of activity from Formbook to Lokibot. This month also saw Spring4Shell make headlines, but it is not yet one of the most exploited vulnerabilities

SAN CARLOS, Calif., May 11, 2022 (GLOBE NEWSWIRE) -- Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for April 2022. Researchers report that Emotet, an advanced, self-propagating and modular Trojan, is still the most prevalent malware impacting 6% of organizations worldwide. Despite this, there has been movement for all other malwares in the list. Tofsee and Nanocore are out, and have been replaced by Formbook and Lokibot, now the second and sixth most prevalent malwares respectively.

Emotet’s higher score in March (10%) was mainly due to specific Easter themed scams but this month’s decrease could also be explained by Microsoft’s decision to disable specific macros associated with Office files, affecting the way that Emotet is usually delivered. In fact, there are reports that Emotet has a new delivery method; using phishing emails that contain a OneDrive URL. Emotet has many uses after it succeeds in bypassing a machine’s protections. Due to its sophisticated techniques of propagating and assimilation, Emotet also offers other malwares to cybercriminals on dark web forums including banking trojans, ransomwares, botnets, etc. As a result, once Emotet finds a breach, the consequences can vary depending on which malware was delivered after the breach was compromised.

Elsewhere in the index, Lokibot, an infostealer, has re-entered the list in sixth place after a high impact spam campaign delivering the malware via xlsx files made to look like legitimate invoices. This, and the rise of Formbook, have had a knock on effect on the position of other malwares with the advanced remote access trojan (RAT) AgentTesla, for example, dropping into third place from second.

At the end of March, critical vulnerabilities were found in Java Spring Framework, known as Spring4Shell, and since then, numerous threat actors have leveraged the threat to spread Mirai, this month’s ninth most prevalent malware.

“With the cyber threat landscape constantly evolving and with large corporations such as Microsoft influencing the parameters in which cybercriminals can operate, threat actors are having to become more creative in how they distribute malware, evident in the new delivery method now being employed by Emotet,” said Maya Horowitz, VP Research at Check Point. “In addition, this month we have witnessed the Spring4Shell vulnerability making headlines. Although it is not yet in the top ten list of vulnerabilities, it’s worth noting that over 35% of organizations worldwide have already been impacted by this threat in its first month alone, and so we expect to see it rise up the list in the coming months.”

CPR also revealed this month that Education & Research is still the most targeted industry by cybercriminals globally. “Web Server Exposed Git Repository Information Disclosure” is the most exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution”. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” shoots up the index, now in third place with a global impact of 45%.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month Emotet is still the most popular malware impacting 6% of organizations worldwide, closely followed by Formbook which impacts 3% of organizations and AgentTesla with a global impact of 2%.

1. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used as a banking Trojan, but recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
2. ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware-as-a-Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors, and logs keystrokes, and can download and execute files according to orders from its C&C.
3. ↓ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook.)
   

Top Attacked Industries Globally

This month Education/Research is the most attacked industry globally, followed by Government/Military and Internet Service Providers & Managed Service Providers (ISP & MSP).

1. Education & Research
2. Government & Military
3. Internet Service Providers & Managed Service Providers (ISP & MSP)
   

 Top Exploited Vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most exploited vulnerability, impacting 46% of organizations globally, closely followed by “Apache Log4j Remote Code Execution” with a global impact of 46%. “Apache Struts ParametersInterceptor ClassLoader Security Bypass” is now in third place in the top exploited vulnerabilities list, with a global impact of 45%.

1. ↑ Web Server Exposed Git Repository Information Disclosure- An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
2. ↓ Apache Log4j Remote Code Execution (CVE-2021-44228)- A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
3. ↑ Apache Struts ParametersInterceptor ClassLoader Security Bypass (CVE-2014-0094,CVE-2014-0112,CVE-2014-0113,CVE-2014-0114)- A security bypass vulnerability exists in Apache Struts. The vulnerability is due to inadequate validation of data processed by ParametersInterceptor allowing for manipulation of the ClassLoader. A remote attacker could exploit this vulnerability by providing a class parameter in a request.
   

Top Mobile Malwares

This month AlienBot is the most prevalent mobile malware, followed by FluBot and xHelper.

1. AlienBot - AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, at a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
2. FluBot- FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.
3. xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstalling itself in case it was uninstalled.
   

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The Intelligence & Research Arm of Check Point Software Technologies.

The complete list of the top ten malware families in April can be found on the Check Point blog.

Follow Check Point Research via:
Blog: https://research.checkpoint.com/ 
Twitter: https://twitter.com/_cpresearch_ 

About Check Point Research 
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs. 

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to corporate enterprises and governments globally. Check Point Infinity´s portfolio of solutions protects enterprises and public organizations from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other threats. Infinity comprises three core pillars delivering uncompromised security and generation V threat prevention across enterprise environments: Check Point Harmony, for remote users; Check Point CloudGuard, to automatically secure clouds; and Check Point Quantum, to protect network perimeters and datacenters, all controlled by the industry’s most comprehensive, intuitive unified security management. Check Point protects over 100,000 organizations of all sizes.  

MEDIA CONTACT:		INVESTOR CONTACT:
Emilie Beneitez Lefebvre		Kip E. Meintzer
Check Point Software Technologies		Check Point Software Technologies
press@us.checkpoint.com		ir@us.checkpoint.com

 

FAQ

What is Check Point's Global Threat Index for April 2022?

It reports on malware activities and trends, highlighting Emotet as the most prevalent malware impacting 6% of organizations.

How has Emotet's prevalence changed from March to April 2022?

Emotet's impact decreased from 10% in March to 6% in April 2022.

Which industries are most targeted by cybercriminals according to the latest report?

The Education and Research sector is the most targeted, followed by Government/Military and Internet Service Providers.

What vulnerabilities are currently most exploited in the industry?

The most exploited vulnerabilities include Web Server Exposed Git Repository Information Disclosure and Apache Log4j Remote Code Execution.

What is the significance of the Spring4Shell vulnerability?

Over 35% of organizations have been impacted by Spring4Shell, indicating it is a significant risk in the current cyber landscape.