Top malware of March 2024: Hackers exploit new infection chain method to spread Remcos

Corporate Information

industry

Just released

3434

collect

Introduction: Researchers have discovered a new method of deploying the Remote Access Trojan (RAT) Remcos, which bypasses common security measures and gains unauthorized access to victim devices.

April 2024, leading cloud AI cybersecurity platform provider Check Point® Software Technologies, Inc.(Nasdaq: CHKP) has released its March 2024 Global Threat Index report. Last month, researchers discovered that hackers were using virtual hard disk (VHD) files to deploy the remote access Trojan (RAT) Remcos.

Remcos is a known malware that first appeared in 2016.existIts latest attack activities, cybercriminals bypassed common security measures and gained unauthorized access to victim devices. Although the tool's original legitimate use was to remotely manage Windows systems, it was quickly used by cybercriminals to infect devices, take screenshots, log keystrokes, and transfer the collected data to designated host servers. In addition, the remote access Trojan RAT also has a mass mailing function and can carry out distribution attacks. Overall, its various features can be used to create botnets. Last month, it rose to fourth place on the list of top malware, up from sixth place in February.

Maya Horowitz, vice president of research at Check Point Software Technologies, said: “The evolution of attack methods illustrates the continuous escalation of cybercriminal tactics. This requires users to take proactive protective measures as soon as possible. By staying vigilant, deploying strong endpoint protection and promoting cybersecurity education, we We can work together to strengthen defenses and effectively defend against ever-changing cyber threats.”

The Check Point Ransomware Index report compiles insights gained from ransomware “shaming sites” run by dual extortion ransomware gangs, where attackers publish victim information. Lockbit3 once again ranks first, accounting for 12% of published attacks, followed by Play and Blackbasta, accounting for 10% and 9% respectively.Blackbasta, which has jumped into the top three for the first time, claims that it has no control over Scottish law firms. Scullion Law Responsible for recent cyber attacks.

Last month, “Web Server Malicious URL Directory Traversal Vulnerability” was the most commonly exploited vulnerability, affecting 50% of organizations worldwide, followed by “HTTP Payload Command Line Injection” and “HTTP Header Remote Code Execution” , affecting 48% and 43% of global institutions respectively.

Top Malware Families

*Arrows indicate ranking changes compared to the previous month.

FakeUpdates was the most prevalent malware last month, affecting 6% of organizations globally, followed by Qbot and Formbook at 3% and 2% respectively.

↔ FakeUpdates – FakeUpdates (aka SocGholish) is a downloader written in JavaScript. It writes the payload to disk before launching it. FakeUpdates cause further damage via a host of other malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.

↔ Qbot – Qbot (aka Qakbot) is a multipurpose malware that first appeared in 2008 and is designed to steal user credentials, log keystrokes, steal cookies from browsers, spy on users' banking operations, and deploy more malicious software. Qbot is usually spread through spam emails and uses a variety of anti-VM, anti-debugging and anti-sandboxing methods to hinder analysis and evade detection. Starting in 2022, it became one of the most rampant Trojans.

↔ Formbook – Formbook is an information-stealing program that targets Windows operating systems and was first discovered in 2016. Due to its powerful evasion techniques and relatively low price, it is sold as malware-as-a-service (MaaS) in underground hacking forums. Formbook can obtain credentials from various web browsers, collect screenshots, monitor and log keystrokes, and download and execute files following its C&C commands.

Most commonly exploited vulnerabilities

Last month, “Web Server Malicious URL Directory Traversal Vulnerability” remained the most commonly exploited vulnerability, affecting 50% of organizations worldwide. This was followed by “HTTP payload command line injection” and “HTTP header remote code execution”, which affected 48% and 43% of organizations globally respectively.

↔ Web server malicious URL directory traversal vulnerability(CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE -2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – Directory traversal exists on different web servers loopholes. The vulnerability is due to an input validation error in the web server, which does not properly sanitize URIs for directory traversal mode. An unauthenticated, remote attacker could exploit the vulnerability to exfiltrate or access arbitrary files on the vulnerable server.

↔ HTTP payload command line injection(CVE-2021-43936, CVE-2022-24086) – An HTTP payload command line injection vulnerability has been discovered. A remote attacker could exploit this vulnerability by sending a specially crafted request to the victim. An attacker could exploit this vulnerability to execute arbitrary code on the target computer.

↑ HTTP header remote code execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-1375) – HTTP headers allow clients and servers to pass additional information with HTTP requests. A remote attacker could use a vulnerable HTTP header to run arbitrary code on a compromised machine.

Major mobile malware

Last month, Anubis topped the list of the most prevalent mobile malware, followed by AhMyth and Cerberus.

↔ Anubis – Anubis is a banking Trojan malware designed specifically for Android phones. Since its initial detection, it has acquired additional capabilities, including remote access trojan (RAT) capabilities, keylogger, recording capabilities, and various ransomware features. This banking Trojan has been detected in hundreds of different apps available on the Google Play Store.

↔ AhMyth – AhMyth is a remote access Trojan (RAT) discovered in 2017 that spreads through Android apps on app stores and various websites. When users install these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, screenshots, sending text messages, and activating the camera, which are often used to steal sensitive information.

↑ Cerberus – Cerberus It is a remote access Trojan (RAT) that first appeared in June 2019 and has specific banking interface override capabilities for Android devices. It operates in a malware-as-a-service (MaaS) model, replacing discontinued banking Trojans such as Anubis and Exobot, and features SMS control, keystroke logging, recording, location tracker, and more.

Major ransomware gangs

The information provided in this section comes from ransomware “shaming sites” operated by dual ransomware gangs that publish victim names and information. The data from these shaming sites is inherently biased, but can still provide valuable information about the ransomware ecosystem.

Last month, LockBit3 was the most prolific ransomware group, accounting for 12% of published attacks, followed by Play and Blackbasta, accounting for 10% and 9% respectively.

LockBit3 – LockBit3 is a ransomware that operates in a RaaS model and was first discovered in September 2019. It mainly targets large enterprises and government agencies in various countries and regions. After being seized as a result of a law enforcement action in February 2024, LockBit3 has resumed publishing victim information.

Play – Play ransomware, also known as PlayCrypt, this ransomware gang first appeared in June 2022. This ransomware targets numerous businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play ransomware typically breaks into networks through stolen valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPN. Once successful, it uses various means such as off-the-ground attack binaries (LOLBins) to perform tasks such as data exfiltration and credential theft.

Blackbasta – BlackBasta ransomware was first discovered in 2022 and operates in a ransomware-as-a-service (RaaS) model. The attackers behind the scenes mostly use RDP vulnerabilities and phishing emails to spread ransomware to organizations and individuals.