February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government

Rhea-AI Summary

Check Point Software Technologies (NASDAQ: CHKP) has released its Global Threat Index for February 2023, highlighting that Remcos Trojan was used in phishing attacks on Ukrainian government entities. This malware's resurgence marks its return to the top ten for the first time since December 2022. The report indicates a 44% drop in weekly attacks per organization, yet Ukraine remains a primary target for cybercriminals. The Education/Research sector is noted as the most attacked industry. Additionally, the most exploited vulnerabilities include 'Web Servers Malicious URL Directory Traversal' affecting 47% of organizations globally.

Positive

• Identified a decrease of 44% in weekly attacks per organization from October 2022 to February 2023.
• Remcos Trojan's return underscores the ongoing relevance of Check Point's cybersecurity intelligence.

Negative

• Ukrainian government entities continue to be major targets for cybercriminals, indicating ongoing security vulnerabilities.

Researchers report that Remcos Trojan was used by threat actors to target Ukrainian government entities through phishing attacks as part of wider cyberespionage operations. Meanwhile Formbook and Emotet returned to the top three most prevalent malware families, and Education/Research remained the most targeted industry

SAN CARLOS, Calif., March 09, 2023 (GLOBE NEWSWIRE) -- Check Point^® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cybersecurity solutions globally, has published its Global Threat Index for February 2023. Last month saw the Remcos Trojan return to the top ten list for the first time since December 2022 after it was reported being used by threat actors to target Ukranian government entities through phishing attacks. Meanwhile, Emotet Trojan and Formbook Infostealer climbed the ranking taking second and third place respectively, while Education/Research remained the most targeted industry.

Despite researchers identifying a 44% decrease in the average number of weekly attacks per organization between October 2022 and February 2023, Ukraine remains a popular target for cybercriminals, following the Russian invasion. In the most recent campaign, attackers impersonated Ukrtelecom JSC in a mass email distribution, using a malicious RAR attachment to spread the Remcos Trojan, which has returned to the top malware list for the first time since October 2022. Once installed, the tool opens a backdoor on the compromised system, allowing full access to the remote user for activities such as data exfiltration and command execution. The ongoing attacks are believed to be linked to cyberespionage operations due to the behavior patterns and offensive capabilities of the incidents.

“While there has been a decrease in the number of politically motivated attacks on Ukraine, they remain a battleground for cybercriminals. Hacktivism has typically been high on the agenda for threat actors since the Russo-Ukrainian war began and most have favored disruptive attack methods such as DDoS to garner the most publicity. However, the latest campaign used a more traditional route of attack, using phishing scams to obtain user information and extract data. It’s important that all organizations and government bodies follow safe security practices when receiving and opening emails. Do not download attachments without scanning the properties first. Avoid clicking on links within the body of the email and check the sender address for any abnormalities such as additional characters or misspellings,” said Maya Horowitz, VP Research at Check Point Software.

CPR also revealed that “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 47% of organizations globally. This was followed by “Web Server Exposed Git Repository Information Disclosure” which impacted 46% of organizations worldwide while “Apache Log4j Remote Code Execution” is the third most used vulnerability, with a global impact of 45%.

Top malware families
*The arrows relate to the change in rank compared to the previous month.
Qbot was the most prevalent malware last month with an impact of more than 7% on worldwide organizations respectively, followed by Formbook at 5% and Emotet with 4%.

1. ↔ Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials or keystrokes and is often distributed via spam emails. Qbot employs several anti-VM, anti-debugging and anti-sandbox techniques to hinder analysis and evade detection.
   
   
2. ↑ FormBook – FormBook is an Infostealer targeting Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes and can download and execute files according to orders from its C&C.
   
   
3. ↑ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet used to be employed as a banking Trojan but has recently been used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
   

Top Attacked Industries Globally
Last month, Education/Research remained the most attacked industry globally, followed by Government/Military and then Healthcare.

1. Education/Research
2. Government/Military
3. Healthcare
   

Top exploited vulnerabilities
Last month “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 47% of organizations globally. This was followed by “Web Server Exposed Git Repository Information Disclosure” which impacted 46% of organizations worldwide while “Apache Log4j Remote Code Execution” is the third most used vulnerability, with a global impact of 45%.

1. ↑ Web Servers Malicious URL Directory Traversal – There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
   
   
2. ↓ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
   
   
3. ↑ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
   

Top Mobile Malwares
Last month Anubis remained the most prevalent mobile malware, followed by Hiddad and AhMyth.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
   
   
2. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
   
   
3. AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera.
   

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the intelligence and research Arm of Check Point Software Technologies.

The complete list of the top ten malware families in February can be found on the Check Point blog.

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch

About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cybersecurity solutions to corporate enterprises and governments globally. Check Point Infinity’s portfolio of solutions protects enterprises and public organizations from 5^th generation cyberattacks with an industry leading catch rate of malware, ransomware and other threats. Infinity comprises four core pillars delivering uncompromised security and generation V threat prevention across enterprise environments: Check Point Harmony, for remote users; Check Point CloudGuard, to automatically secure clouds; and Check Point Quantum, to protect network perimeters and datacenters, all controlled by the industry’s most comprehensive, intuitive unified security management; Check Point Horizon, a prevention-first security operations suite. Check Point protects over 100,000 organizations of all sizes.

MEDIA CONTACT:	INVESTOR CONTACT:
Emilie Beneitez Lefebvre	Kip E. Meintzer
Check Point Software Technologies	Check Point Software Technologies
press@checkpoint.com	ir@us.checkpoint.com

FAQ

What did Check Point's Global Threat Index reveal about malware in February 2023?

The report highlighted Remcos Trojan's resurgence in phishing attacks, particularly targeting Ukrainian government entities.

Which industry was the most attacked according to Check Point's February 2023 report?

The Education/Research industry remained the most attacked globally.

What was the most exploited vulnerability in February 2023?

The most exploited vulnerability was 'Web Servers Malicious URL Directory Traversal,' impacting 47% of organizations globally.

How much did weekly attacks decrease from October 2022 to February 2023?

There was a reported 44% decrease in the average number of weekly attacks per organization during that period.

What malware family was the most prevalent in Check Point's February 2023 report?

Qbot was identified as the most prevalent malware, affecting over 7% of organizations worldwide.