The most dangerous malware in November: Formbook 1st place

Malware hit list in November: Formbook in place

Share post

The most common malware in November 2023 is the infostealer Formbook and the most frequently attacked industry is ISP/MSP. Command Injection Over HTTP was the most commonly exploited vulnerability.

Check Point Software Technologies has released its November 2023 Global Threat Index:

Top malware in Germany

First place in Germany was achieved by Formbook. Formbook is an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed in underground hacker forums as Malware-as-a-Service (MaaS) because it has powerful evasion techniques and is relatively inexpensive. New additions include fake updates. Nanocore is in third place.

*The arrows refer to the change in ranking compared to the previous month.

1. ↑ Formbook – Formbook is an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed on underground hacking forums as Malware-as-a-Service (MaaS) due to its strong evasion techniques and relatively low price. Formbook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files upon instruction from its C&C.

2. ↑ Fake updates – Fakeupdates (also known as SocGholish) is a downloader written in JavaScript that saves the payload to disk before executing it. Fake updates led to further infections through numerous additional malware such as GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult.

3. ↓ Nanocore – Nanocore is a remote access Trojan (RAT) targeting Windows operating system users and was first observed in 2013. All versions of the RAT include basic plugins and features such as screen recording, cryptocurrency mining, remote desktop control, and webcam session theft.

Top 3 vulnerabilities

Last month, Command Injection Over HTTP was the most exploited vulnerability, affecting 45 percent of organizations worldwide, followed by Web Servers Malicious URL Directory Traversal, affecting 42 percent of organizations worldwide. In third place was Zyxel ZyWALL Command Injection (CVE-2023-28771) with a global impact of 41 percent.

1. ↑ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) - A Command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. If successfully exploited, an attacker could execute arbitrary code on the target computer.

2. ↑ Web Server Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE -2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - A directory traversal vulnerability exists different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URL for the directory traversal patterns. A successful exploitation allows unauthenticated attackers to disclose or access arbitrary files on the vulnerable server.

3. ↓ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. If this vulnerability is successfully exploited, remote attackers could execute arbitrary operating system commands on the affected system.

Top 3 Mobile Malware

Anubis was also the most common mobile malware last month, followed by AhMyth and this time SpinOk.

1. ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since its initial discovery, it has gained additional features including Remote Access Trojan (RAT), keylogger, audio recording capabilities, and various ransomware capabilities. It has been discovered in hundreds of different applications on the Google Store.

2. ↔ AhMyth – A AhMyth is a remote access trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which are typically used to steal sensitive information .

3. ↑ SpinOk – SpinOk is an Android software module that works like a spy program. It collects information about files stored on devices and can pass them on to malicious threat actors. The malicious module was found in more than 100 Android apps and had been downloaded more than 2023 times as of May 421.000.000.

Top 3 of the attacked sectors and areas in Germany

1. ↑ ISP/MSP

2. ↔ Healthcare

3. ↑Retail/Wholesale

Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development department of Check Point Software Technologies.

Go straight to the full list on


About check point

Check Point Software Technologies GmbH ( is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.


Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more

New wave of phishing: Attackers use Adobe InDesign

There is currently an increase in phishing attacks that abuse Adobe InDesign, a well-known and trusted document publishing system. ➡ Read more