Top malware in Q1-2023: Qbot, Formbook, Emotet

Top malware in Q1-2023: Qbot, Formbook, Emotet

Share post

Check Point's Spring 2023 Global Threat Index shows Qbot, Formbook, and Emotet malware as the most threatening, HTTP Headers Remote Code Execution vulnerability on the rise, and retail as an industry most under attack.

Check Point has published its Global Threat Index for January 2023. Qbot, a sophisticated Trojan that steals banking information and keystrokes, remains at the top. Emotet slips to third place in Germany. With regard to sectors and areas, retail was attacked in Germany in particular.

Maya Horowitz, VP Research at Check Point Software, also discusses the dangers of phishing and fake websites: "I can't stress enough the importance of paying attention to the links you click to make sure that they are legitimate URLs. Look for the padlock that indicates an up-to-date SSL certificate, and look out for hidden typos that could indicate the site is malicious.”

Top 3 malware for Germany

Qbot – Qbot, also known as Qakbot, is a banking Trojan that first appeared in 2008. It is designed to steal a user's banking information and keystrokes. Commonly distributed via spam emails, Qbot uses multiple anti-VM, anti-debugging, and anti-sandbox techniques to complicate analysis and evade detection.

Formbook – Formbook is an info-stealer targeting the Windows operating system and was first discovered in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums due to its strong evasion techniques and relatively low price. Formbook collects login credentials from various web browsers, takes screenshots, monitors and logs keystrokes, and can download and run files on instruction from its C&C.

Emotet – Emotet is an advanced, self-propagating and modular trojan horse that was once used as a banking trojan and currently proliferates other malware or malicious campaigns. Emotet uses multiple persistence methods and evasion techniques to avoid detection and can be distributed via phishing spam emails with malicious attachments or links.

Top 3 vulnerabilities

In December, Web Server Exposed Git Repository Information Disclosure remained the top exploited vulnerability, affecting 46 percent of organizations worldwide, followed by newcomers HTTP Headers Remote Code Execution at 42 percent and MVPower DVR Remote Code Execution at 39 percent.

 Web Servers Exposed Git Repository Information Disclosure – An information disclosure vulnerability was reported in Git Repository. Successful exploitation of this vulnerability could allow unintentional disclosure of account information.

HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) - HTTP headers allow the client and server to include additional information with an HTTP request to transfer. An attacker can use a vulnerable HTTP header to execute arbitrary code on the victim's machine.

MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. An attacker can exploit this vulnerability to execute arbitrary code on the affected router via a manipulated request.

Top 3 of the attacked sectors and areas in Germany:

– Retail/Wholesale

– Education/Research

 – Healthcare

Check Point's Global Threat Impact Index and ThreatCloud Map are powered by Check Point's ThreatCloud Intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide across networks, endpoints and mobile phones. This intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the research and development department of Check Point Software Technologies.

Top 3 Mobile Malware:

Over the past month, Anubis continued to be the most prevalent mobile malware, followed by Hiddad and newcomer AhMyth.

 Anubis – Anubis is a banking Trojan developed for Android phones. Since its initial detection, it has gained additional features including remote access trojan (RAT), keylogger and audio recording capabilities, and various ransomware functions. It has been spotted in hundreds of different applications on the Google Store.

 Hiddad - Hiddad is an Android malware that repackages legitimate apps and then publishes them to a third-party store. Its main function is to display advertisements, but it can also gain access to important operating system security details.

AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed via Android apps found in app stores and various websites. When a user installs one of these infected apps, the malware can gather sensitive information of the device and perform dangerous actions like keylogging, taking screenshots, sending SMS messages or activating the camera, which usually lead to stealing sensitive ones information is used.

More at


About check point

Check Point Software Technologies GmbH ( is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.


Matching articles on the topic

NIS2 Directive: 6 tips for implementation in companies

The EU NIS2 Directive will soon require many companies to meet higher cybersecurity standards - the law is expected to be ready in October 2024 ➡ Read more

Cybersecurity: Lack of alignment between CEOs and CISOs

87 percent of CISOs surveyed in the Dynatrace CISO Report 2024 stated that CEOs are blind to user security. 70 percent of the ➡ Read more

Cyber ​​insurance: What helps against rising costs?

Cyber ​​insurance protects companies financially from cyber attacks. As the threat situation increases, insurance companies are increasing the costs of annual premiums. Company, ➡ Read more

IT security: Lack of knowledge in German companies

Around 25 percent of all management know too little about IT security and 42 percent of employees do not regularly inform themselves about it ➡ Read more

Companies discover cyber attackers more quickly

Cyber ​​attackers prefer to exploit zero-day vulnerabilities, according to the M-Trends Report 2024. However, the average time until they are discovered is clear ➡ Read more

Endgame: Europol & Co smash large botnets like TrickBot

According to Europol, it was the largest successful operation against botnets of all time: an international operation has targeted droppers such as TrickBot, IcedID, ➡ Read more

Monitoring thanks to Section 702

The U.S. law reauthorizing Section 702 significantly expands domestic surveillance ➡ Read more

Phishing attacks: 60 percent increase worldwide

In 2023, the financial industry was most affected by phishing attacks. Criminals are increasingly using generative AI for voice phishing (vishing) and deepfake phishing ➡ Read more