Check Point Research (CPR) has published its latest Global Threat Index for January 2022, identifying the top 10 malware impacting Australians in January.
Since its recent return, Emotet has surged to the top spot, knocking Trickbot out of first place. The notorious botnet is most spread via phishing emails that contain malicious attachments or links. Its increased use has only been helped by the prevalence of Trickbot that acts as a catalyst, spreading the malware even further.
Top 10 Malware impacting Australia for January:
- Emotet, ↑ 4.33% (percentage of Australian cyber incident cases impacted by this specific malware)
Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan, and currently distributes other malware or malicious campaigns. Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection and can be spread via phishing spam emails containing malicious attachments or links.
- Formbook, ↑ 2.81% (percentage of Australian cyber incident cases impacted by this specific malware)
FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- Trickbot, ↓ 1.99% (percentage of Australian cyber incident cases impacted by this specific malware)
Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack.
- Remcos, ↑ 1.75% (percentage of Australian cyber incident cases impacted by this specific malware)
Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
- Guloader, ↑ 0.82% (percentage of Australian cyber incident cases impacted by this specific malware)
GuLoader is a downloader that has been widely used since December 2019. When it first appeared, GuLoader was used to download Parallax RAT but has been applied to other remote access trojans and info-stealers such as Netwire, FormBook, and Agent Tesla.
- Maze, ↔ 0.70% (percentage of Australian cyber incident cases impacted by this specific malware)
Maze is a ransomware, discovered in mid-2019 and was the first ransomware to practice the doubleextortion strategy. Maze operators opened a dedicated webpage where, in addition to encrypting victim’s data, they started publishing stolen sensitive data from victims who refused to pay the ransom. Many other threat groups followed this strategy.
- Icedid, ↑ 0.70% (percentage of Australian cyber incident cases impacted by this specific malware)
IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
- Vidar, ↑ 0.70% (percentage of Australian cyber incident cases impacted by this specific malware)
Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
- Wannacry, ↑ 0.58% (percentage of Australian cyber incident cases impacted by this specific malware)
Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks.Wannacry’s infection vector appears to be direct infection utilising SMB as delivery method. The ransomware’s code is loosely written, and it features a component called ‘kill-switch’ – before encryption, Wannacry attempts to contact a certain pre-defined domain – if it is active, the malware shuts down and encryption is prevented.
- AgentTesla, ↑ 0.58% (percentage of Australian cyber incident cases impacted by this specific malware)
AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim’s keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.
- FluBot, ↓ 0.58% (percentage of Australian cyber incident cases impacted by this specific malware)
FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.
Malware families Maze, Icedid and Vidar were tied at sixth place, impacting 0.70% of Australian cyber incident cases, while malware families Wannacry, AgentTesla and FluBot were tied at 9th place, impacting 0.58% of Australian cyber incident cases.