Check Point Software Technologies, Inc.
Check Point announces the most active malware in December 2022 Formbook tops in Japan, impacting 25% of organizations and pulling away from second place
Globally, Qbot surpassed Emotet to take the top spot, Glupteba ranked 8th for the first time since July 2022, and Hiddad, an Android malware, has revived. The concentration of attacks on the “education and research” industry continues.
Check Point Research, the threat intelligence division of Check Point(R) Software Technologies Ltd. (NASDAQ: CHKP), a comprehensive cybersecurity solutions provider Research (CPR) has released its latest Global Threat Index for December 2022.
Formbook leads the pack at the top of the Japanese rankings
In December, Japan’s top ranking was Formbook, which impacted 25% of domestic organizations, far behind Qbot, which impacted 6% of domestic organizations and came in second. Formbook is malware for information gathering and identity theft. Qbot, a sophisticated Trojan horse malware that steals bank account credentials and keystrokes, has impacted 7% of organizations globally, surpassing Emotet, which made a comeback last month, to take the top spot in global rankings. increase. Blockchain-enabled Trojan horse botnet Glupteba enters the top 10 for the first time since July 2022, taking eighth place. Along with the resurgence of Android malware Hiddad, the education and research sector remains the most cyber-attacked industry globally. Revived Glupteba, Hiddad
In December 2021, Google took a large-scale disabling measure < https://blog.google/threat-analysis-group/disrupting-glupteba-operation/Also in December, Hiddad entered the top three mobile malware for the first time in 2022. Hiddad is ad-serving malware that targets Android devices. We repackage legitimate applications and publish them on third-party app stores. Its main function is to display
advertisements, but it also allows access to important security information built into the operating system.
Maya Horowitz, VP of Research at Check Point, said:
“A salient feature of the latest CPR research is how often malware masquerades as legitimate software to allow hackers to gain
unauthorized access to devices without arousing suspicion. It is important that you exercise due diligence when downloading software or applications or clicking on links, no matter how genuine they may appear.”
According to CPR, the most exploited vulnerability in December was “Information Disclosure of Public Web Server Git Repositories,” affecting 46% of organizations worldwide. The second place is “Directory traversal by malicious URL to web server” with 44% impact, followed by “Command injection to HTTP” with 43% impact.
Top Active Malware Families in Japan
*Arrows indicate changes in ranking compared to the previous month, and numbers in parentheses indicate impact on domestic companies. In Japan’s ranking, Formbook took the top spot, impacting 25% of domestic organizations. Formbook is gradually rising to 3rd place in Japan in October 2022 and 2nd place in Japan in November, with a dramatic increase from the previous month’s impact value of 3% in December. Global leader Qbot remained in second place in Japan, the same as last month, but its influence value doubled from the previous month. In 3rd place, Emotet, which ranked first in Japan last month, dropped in rank.
↑ FormBook (25.08%) – FormBook is an infostealer targeting Windows OS. First detected in 2016, the malware is marketed as
“Malware-as-a-Service” (MaaS) on hacking forums due to its powerful evasion techniques and relatively low price. FormBook aggregates credentials from various web browsers, collects screenshots, monitors and records keystrokes. It also downloads and executes files as instructed by a C&C (command and control) server.
↔ Qbot (6.12%) – Qbot, also known as Qakbot, is a banking Trojan first discovered in 2008 designed to steal banking credentials and keystrokes. It is often spread through spam emails and uses multiple techniques such as anti-VM (virtual machine), anti-debugging, and anti-sandboxing to thwart analysis and evade detection.
↓ Emotet (2.14%) – Emotet is a highly sophisticated modular trojan that self-replicates. It was once used as a banking Trojan, but more recently it has also been used to spread other malware and malicious campaigns. Emotet incorporates various means of persistence and evasion techniques to avoid detection and is spread via phishing emails containing malicious attachments and links.
Top Globally Active Malware Families
*Arrows indicate the change in ranking compared to the previous month. Qbot overtook Emotet as the most prevalent malware in December, affecting 7% of organizations globally. Emotet came in second with a 4% impact and XMRig came in third with a 3% impact.
↑ Qbot – Qbot, also known as Qakbot, is a banking Trojan first discovered in 2008 designed to steal banking credentials and keystrokes. It is often spread through spam emails and uses multiple techniques such as anti-VM (virtual machine), anti-debugging, and anti-sandboxing to thwart analysis and evade detection.
↔ Emotet – Emotet is a highly sophisticated modular Trojan that self-propagates. It was once used as a banking Trojan, but more recently it has also been used to spread other malware and malicious campaigns. Emotet incorporates various means of persistence and evasion techniques to avoid detection and is spread via phishing emails containing malicious attachments and links.
↑ XMRig – XMRig is an open source CPU mining software used for mining the Monero cryptocurrency. Threat actors often embed this open-source software in their malware and exploit it in the form of illegal mining on the victim’s device.
Most Attacked Industries, Industries Globally
The Education & Research sector continues to lead the list of most attacked industries globally. The second place is “government / military relations”, and the third place is “health care”.
Top Vulnerabilities Exploited
In December, the most exploited vulnerability was “Web server public Git repository information disclosure”, affecting 46% of organizations worldwide. The second place is “Directory traversal by malicious URL to Web server” with 44% impact, and the 3rd place is “Command injection to HTTP” with 43% impact.
↑ Information disclosure in Web server public Git repository – An information disclosure vulnerability has been reported in Git repositories. Exploitation of this vulnerability could lead to the unintentional disclosure of account information.
↓ Directory traversal by malicious URL to web server (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666,
CVE-2015-4068, CVE- 2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020- 8260) – Several web servers are vulnerable to directory traversal attacks. This vulnerability is due to an input validation error caused by not properly removing URIs that indicate directory traversal attack patterns on the web server. Successful exploitation of this vulnerability allows an unauthenticated, remote attacker to access arbitrary files on a vulnerable server and disclose information.
↑ Command injection into HTTP (CVE-2021-43936, CVE-2022-24086) – A command injection vulnerability into HTTP has been reported. A remote attacker can exploit this vulnerability by sending a specially crafted malformed request to the victim. Successful execution of this would allow the attacker to execute arbitrary code on the victim’s machine. top mobile malware
Anubis remains the most prevalent mobile malware in December. Hiddad emerged in second place, followed by AlienBot in third.
Anubis – Anubis is a banking Trojan designed to target Android devices. Since it was first detected, it has added many features, such as remote access Trojan (RAT) functionality, keylogger and audio recording, and various ransomware features. Anubis has been detected in hundreds of apps published on the Google Store.
Hiddad – Hiddad is malware for Android devices that repackages legitimate applications and publishes them on third-party app stores. Its main function is to display advertisements, but it can also access important security data built into the OS.
AlienBot – AlienBot is a banking Trojan for Android devices. It is sold underground as a malware-as-a-service (MaaS) and supports features such as keylogging, dynamic overlays for credential stealing, and SMS information stealing for bypassing 2FA (two-factor
authentication). You can also add remote control functionality by using the TeamViewer module.
Check Point’s Global Threat Impact Index and ThreatCloud Map are powered by Check Point’s ThreatCloud Intelligence. ThreatCloud < https://www.checkpoint.com/infinity/threatcloud/ The full list of December’s top 10 malware families can be found on Check Point’s blog
< https://blog.checkpoint.com/2023/01/13/december-2022s-most-wanted-malware-glupteba-entering -top-ten-and-qbot-in-first-place/ >
This press release is based on the blog (English) announced on January 13, 2023 US time <
https://blog.checkpoint.com/2023/01/13/december-2022s-most-wanted-malware-glupteba- Based on entering-top-ten-and-qbot-in-first-place/ About Check Point Research
Check Point Research provides the latest cyber threat intelligence information for Check Point customers and the threat intelligence community. We collect and analyze data on cyberattacks around the world stored in ThreatCloud <
About Check Point
Check Point Software Technologies (https://www.checkpoint.com/) is a leading company that provides cyber security solutions for all organizations, including government agencies and companies around the world. Each Check Point Infinity solution has industry-leading catch rates against all threats, including malware and ransomware, protecting businesses and public sector organizations from Gen 5 cyberattacks. Infinity consists of four pillars that deliver uncompromising security for enterprise environments and 5th generation threat defense. Check Point Harmony for remote users, Check Point CloudGuard for automatic cloud protection, Check Point Quantum for network perimeter protection, and Check Point Horizon, a
prevention-first security operations suite. Check Point protects over 100,000 organizations of all sizes. Check Point Software Technologies Co., Ltd. (https://www.checkpoint.com/jp/), a wholly-owned Japanese subsidiary of Check Point Software Technologies, was established on October 1, 1997 in Minato-ku, Tokyo. is based in
social media accounts
・Check Point Blog: https://blog.checkpoint.com
・Check Point Research Blog: https://research.checkpoint.com/ ・YouTube: https://youtube.com/user/CPGlobal
・LinkedIn: https://www.linkedin.com/company/check-point-software-technologies/ ・Twitter: https://twitter.com/checkpointjapan
Details about this release:
Check Point Software Technologies, Inc.