The Qbot campaign, which occurred last month, uses a new delivery method where an email is sent to the target individuals along with an attachment containing protected PDF files.
Once these are downloaded, the Qbot malware will be installed on the device. The researchers found that the malspam was sent in multiple languages, meaning organizations could be targeted worldwide. Mirai, one of the most popular IoT malware, also made a comeback last month. Researchers discovered that Mirai exploits a new zero-day vulnerability (CVE-2023-1380) to attack TP-Link routers and add them to its botnet, which has been used in some of the most widely distributed DDoS attacks of all time. This latest campaign follows a comprehensive Check Point Research (CPR) report on the proliferation of IOT attacks.
Targeting software service providers
There was also a change in the sectors affected by cyber attacks in Germany: not in first place, because retail and wholesale remain the most attacked area. However, ISP/MSP (software service providers) move up to second place, while healthcare slipped to the 3rd most attacked sector in April. Attacks on healthcare facilities are well documented and some countries continue to face constant attacks. The industry remains a lucrative target for hackers, potentially giving them access to sensitive patient and payment information. This could impact pharmaceutical companies as it could lead to leaks in clinical trials or new drugs and devices.
“Cyber criminals are constantly working on new ways to circumvent restrictions, and these campaigns are further proof of how malware adapts to survive. Qbot's renewed campaign reminds us of the importance of having comprehensive cybersecurity in place and due diligence in evaluating the origin and intent of an email," said Maya Horowitz, VP Research at Check Point Software.
Top malware in Germany
*The arrows refer to the change in ranking compared to the previous month.
1. ↔ Qbot – Qbot, also known as Qakbot, is a banking Trojan that first appeared in 2008. It is designed to steal a user's banking information and keystrokes. Commonly distributed via spam emails, Qbot uses multiple anti-VM, anti-debugging, and anti-sandbox techniques to complicate analysis and evade detection.
2. ↑ NanoCore – NanoCore is a remote access Trojan targeting users of Windows operating systems and was first observed in the wild in 2013. All versions of the RAT include basic plugins and features such as screen recording, cryptocurrency mining, remote desktop control, and stealing webcam sessions.
3. ↑ AgentTesla – AgentTesla is a sophisticated RAT that acts as a keylogger and password thief and has been active since 2014. AgentTesla can monitor and collect victim's keystrokes and clipboard, capture screenshots, and exfiltrate credentials for a variety of software installed on victim's computer (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.
Top 3 vulnerabilities
Over the past month, Web Servers Malicious URL Directory Traversal was the top exploited vulnerability, affecting 48 percent of organizations worldwide, followed by Apache Log4j Remote Code Execution at 44 percent and HTTP Headers Remote Code Execution with a 43 percent global impact.
↑ Web Servers Malicious URL Directory Traversal – A directory traversal vulnerability exists on various web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for directory traversal patterns. Successful exploitation allows unauthenticated attackers to expose or access arbitrary files on the vulnerable server.
↓ Apache Log4j Remote Code Execution (CVE-2021-44228) – A vulnerability exists in Apache Log4j that allows remote code execution. Successful exploitation of this vulnerability could allow a remote attacker to run arbitrary code on the affected system.
↓ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) – HTTP headers allow the client and server to include additional information with an HTTP request to transmit. A remote attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.
Top 3 Mobile Malware
In the last month, Ahmyth was the most prevalent mobile malware, followed by Anubis and Hiddad.
1. ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed via Android apps found in app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions like keylogging, taking screenshots, sending SMS messages, and activating the camera.
↔ Anubis – Anubis is a banking Trojan developed for Android phones. Since its initial detection, it has gained additional features including remote access trojan (RAT), keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different applications on the Google Store.
↔ Hiddad – Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important operating system security details.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
Attacked industries in Germany
1. ↔ Retail/Wholesale (Retail/Wholesale)
2. ↑ IT Service Provider/Managed Service Provider (ISP/MSP)
3. ↓ Education/Research
Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development department of Check Point Software Technologies.
More at Checkpoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.