In Q4 2023, the remote access Trojan Nanocore was in first place in the malware top ten in Germany. But Emotet and Formbook are still massively active. The education sector was the most frequently attacked.
Check Point has released its Q4 Global Threat Index (October 2023). First place in Germany is now occupied by Nanocore, a remote access Trojan that targets users of Windows operating systems and was first observed in 2013. The threat landscape was highly fragmented in October, with only three malware families whose influence exceeded the 1 percent mark. The well-known malware Emotet (1,23 percent) and Formbook (1,12 percent) take second and third place.
The remote access Trojan NJRat, which caused a sensation with two percent of global influence, comes in fourth place in Germany with 0,99 percent. The September champion CloudEyE ends up in ninth place in Germany with just 0,43 percent.
The education and research sector is replacing the healthcare sector as the most attacked sector in Germany.
Top malware in Germany
*The arrows refer to the change in ranking compared to the previous month.
↑ Nanocore – Nanocore is a remote access Trojan (RAT) targeting Windows operating system users and was first observed in 2013. All versions of the RAT include basic plugins and features such as screen recording, cryptocurrency mining, remote desktop control, and webcam session theft.
↔ Emote – Emotet is an advanced, self-propagating and modular trojan horse that was once used as a banking trojan and currently proliferates other malware or malicious campaigns. Emotet uses multiple persistence methods and evasion techniques to avoid detection and can be distributed via phishing spam emails with malicious attachments or links.
↑ Formbook – Formbook is an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed on underground hacking forums as Malware-as-a-Service (MaaS) due to its strong evasion techniques and relatively low price. Formbook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files upon instruction from its C&C.
Top 3 vulnerabilities
Last month, the most exploited vulnerability was Zyxel ZyWALL Command Injection (CVE-2023-28771), affecting 42 percent of organizations worldwide, followed by Command Injection Over http, which also affected 42 percent of organizations worldwide. Web Server Malicious URL Directory Traversal was the third most exploited vulnerability, also with a global impact of 42 percent.
↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. If successfully exploited, this vulnerability could allow remote attackers to execute arbitrary operating system commands on the affected system.
↔ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) - A Command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. If successfully exploited, an attacker could execute arbitrary code on the target computer.
↓ Web Server Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE -2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - A directory traversal vulnerability exists different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URL for the directory traversal patterns. A successful exploitation allows unauthenticated attackers to disclose or access arbitrary files on the vulnerable server.
Top 3 Mobile Malware
Last month, Anubis remained at the top of the most common mobile malware, followed by AhMyth and Hiddad, which swapped places.
↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since its initial discovery, it has gained additional features including Remote Access Trojan (RAT), keylogger, audio recording capabilities, and various ransomware capabilities. It has been discovered in hundreds of different applications on the Google Store.
↑ AhMyth – AhMyth is a remote access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which are typically used to steal sensitive information .
↓ Hiddad – Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important security details of the operating system.
Top 3 of the attacked sectors and areas in Germany
1. ↑ Education/Research
2. ↔ ISP/MSP
3. ↓ Healthcare
Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development department of Check Point Software Technologies.
Directly to the report on CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.