Malware distributed via email with attached PDF file

Check Point Research (CPR), the threat intelligence division of Check Point Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of global cybersecurity solutions, has released its Global Threat Index for May 2022. Researchers report that Emotet is an advanced, self-propagating, modular Trojan that uses multiple methods to maintain persistence and evasion. Due to several widespread campaigns, the technique of avoiding detection remains the most popular in the world and in Brazil. Technology. Also, in May, the Snake Keylogger malware jumped to eighth place after a long absence from the index; its main function is to record the keystrokes typed by the user and transmit the collected data to the attacker.

Snake Keylogger is usually distributed via email with attachments with docx or xlsx extensions with malicious macros. However, in May, CPR researchers reported that Snake Keylogger was being spread via PDF files. This may be partly due to Microsoft’s blocking of standard Internet macros in Office, which means that cybercriminals have to get more creative and explore new types of files like PDFs. This rare way of spreading malware proved to be very effective, as some people realized that PDF documents are inherently more secure than other file types.

Regarding Emotet, the malware is affecting 8% of organizations worldwide, a slight increase from April. Emotet is an agile malware that has proven to be lucrative as it cannot be detected. Its persistence also makes it difficult to remove once a device is infected, making it the perfect tool in a cybercriminal’s arsenal. It started out as a banking Trojan, often distributed via phishing emails and potentially spreading other malware, increasing its ability to cause widespread damage.

“As evidenced by the latest Snake Keylogger campaign, everything we publish online puts us at risk of cyber-attack, and opening PDF files is no exception. In this case, viruses and malicious executables can hide in In the link between multimedia content and malware attacks, Maya Horowitz, vice president of research at Check Point Software Technologies, said:

“So just as we would question the legitimacy of docx or xlsx files in email attachments, we should also be cautious about PDFs. In today’s environment, having a robust email security solution has never been more important for an organization Important.” – Quarantine and inspect attachments to prevent malicious files from entering the network in the first place,” adds Maya.

May list sectors and vulnerabilities

CPR also revealed that in May, education and research continued to top the list of industries most attacked by cybercriminals globally. “Web Server Malicious URL Directory Traversal” was the most commonly exploited vulnerability, affecting 46% of organizations globally, followed by (effectively “glue”) “Apache Log4j Remote Code Execution” with the same global impact at 46%. “Web Server Exposed Git Repository Information Disclosure” was the third-ranked vulnerability in the index, with an overall impact of 45 percent.

Major Malware Families

* Arrows indicate changes in rankings from the previous month.

Emotet remained the most prevalent malware in May, affecting 8% of organizations worldwide, followed by Formbook, which affected 2%, and AgentTesla, which also affected 2%, in second and third place, respectively.

• Emotet – It is an advanced, self-propagating, modular Trojan. Emotet, formerly a banking Trojan, has recently been used as a distributor of other malware or malicious activities. It uses various methods to maintain persistence and evasion techniques to avoid detection. Additionally, it can be spread through phishing spam emails that contain malicious attachments or links.

? Formbook – It is an information stealer for Windows operating systems, first discovered in 2016. Due to its powerful evasion techniques and relatively low price, it is sold as Malware as a Service (MaaS) on illegal hacker forums. FormBook collects credentials from various web browsers, captures screen, monitors and records keystrokes, and can download and execute files according to your C&C (command and control) commands.

AgentTesla – It is an advanced RAT (Remote Access Trojan) that acts as a keylogger and information thief, capable of monitoring and collecting victim keystrokes, system keyboards, taking screenshots and filtering various Credentials for software (including Google Chrome, Mozilla Firefox, and Microsoft Outlook email clients).

In terms of industries, education and research remained the most attacked industries globally in May, followed by government/military and Internet Service Providers and Managed Service Providers (ISP/MSPs) in the same rankings as in March and April.

1. Education/Research

2. Government/Military

3. Internet Service Provider (ISP) / Managed Service Provider (MSP)

In Brazil, the three most targeted industries in the national rankings for May were:

1. System Integrator/VAR/Distributor

2. Retail/Wholesale

3. Government/Military

The education/research sector is ranked sixth in the national rankings.

Major Vulnerabilities Exploited

In May, the CPR team also revealed that “Web Server Malicious URL Directory Traversal” was the most exploited vulnerability, affecting 46% of organizations worldwide, with “Apache Log4j Remote Code Execution” and “stickiness” ranking second with a global impact of 46%. %. “Web Server Exposed Git Repository Information Disclosure” ranked third on the list of most exploited vulnerabilities with an overall impact of 45%.

Web server malicious URL directory traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – Yes A directory traversal vulnerability on different web servers. The vulnerability is caused by an input validation error on the web server that does not properly clear Uniform Resource Identifiers (URIs) for directory traversal patterns. A successful exploit allows an unauthenticated remote attacker to leak or access arbitrary files on a vulnerable server.

Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on an affected system.

• Information disclosure of Git repositories exposed by web servers – Information disclosure vulnerabilities have been reported in Git repositories. Successful exploitation of this vulnerability could result in the unintentional disclosure of account information.

Top Mobile Malware

In May, mobile malware ranked the same as in April’s index: AlienBot was the most popular mobile malware, followed by FluBot and xHelper.

1. AlienBot – The AlienBot malware family is malware-as-a-service (MaaS) targeting Android devices that allows remote attackers to inject malicious code into legitimate financial applications in the first place. An attacker can gain access to the victim’s account and eventually take full control of the device.

2. FluBot – It’s an Android botnet malware that spreads via phishing SMS messages, impersonating courier and logistics brands most of the time. Once the user clicks the link inserted in the message, FluBot installs and accesses all sensitive information on the phone.

3.xHelper – Malicious Android app observed since March 2019 to download other malicious apps and display ads. The application is able to hide itself from the user and reinstall itself on uninstall.

Brazil’s top malware in May

The leading malware in Brazil in May was Emotet again, regaining its leadership with a 23.55% impact on organizations. Chase dropped to second place in the national ranking (6.88%); the malware primarily targets e-commerce platforms in Latin America and is responsible for launching campaigns aimed at stealing consumer information such as Mercado Livre and Mercado Pago. In third place was the malware PseudoManuscrypt (3.75%), a type of spyware used for espionage that primarily threatens government organizations and industrial control systems. The spyware has advanced spying features including victim screenshots and VPN authentication credential collection.

Check Point Software’s Global Threat Impact Index and its ThreatCloud map are powered by Check Point’s ThreatCloud Intelligence, a collaborative network that provides real-time threat intelligence from hundreds of millions of sensors worldwide, across networks, endpoints and mobile devices. Intelligence is enriched by an artificial intelligence engine and unique research data from the Check Point Research (CPR) division.

Leave a Comment

Your email address will not be published.