Almost 12 months after law enforcement supposedly shut down Emotet for good, the banking Trojan-cum-botnet – which reemerged at the end of 2021 – has firmly reestablished itself as the most prevalent malware in the wild, affecting 6% of organisations worldwide in the past month, according to Check Point’s latest Global threat index.
While this is down from March – likely due to Microsoft having taken steps to stem its usual means of delivery by disabling specific macros in Office files – Emotet’s operators seem to have been testing new delivery methods and, regardless, Emotet remains highly useful as a vector for delivering other nasties, including ransomware, so its popularity is essentially guaranteed.
The second and third most widely observed malwares in April were Formbook, a Windows-targeting infostealer sold underground as a malware as a service (MaaS); and Agent Tesla, a remote access trojan (RAT) specialising in keylogging and infostealing.
Another infostealer, Lokibot, reentered the chart at number six following a high-impact spam campaign. Infostealers in general seem to be more in favour right now than RATs such as Agent Tesla, Check Point observed.
“With the cyber threat landscape constantly evolving, and with large corporations such as Microsoft influencing the parameters in which cyber criminals can operate, threat actors are having to become more creative in how they distribute malware, evident in the new delivery method now being employed by Emotet,” said Maya Horowitz, Check Point research vice-president.
“In addition, this month we have witnessed the Spring4Shell vulnerability making headlines. Although it is not yet in the top 10 list of vulnerabilities, it’s worth noting that over 35% of organisations worldwide have already been impacted by this threat in its first month alone, and so we expect to see it rise up the list in the coming months.”
Spring4Shell may indeed have generated headlines – and confusion – but as Horowitz noted, it is still much less widely exploited than many other vulnerabilities.
The top three most exploited bugs last month were, in order:
- An information disclosure vulnerability in Git Repository that could allow unintentional disclosure of account information, affecting 46% of organisations worldwide;
- Log4Shell, which is ultimately a remote code execution (RCE) vulnerability, affected 46% of organisations last month;
- And a series of CVEs disclosed in Apache Struts that enables security bypass, which affected 45% of organisations.
Elsewhere, Check Point’s latest monthly data reveals the most attacked sector was education and research, followed by government and military, and internet and managed service providers (ISPs and MSPs).
The most prevalent mobile malwares right now are Alienbot, an Android MaaS that breaks into victims financial accounts and takes over the device; Flubot, another Android-focused malware that steals credentials and runs smishing operations from victim devices; and xHelper, a malware that downloads other malicious apps and displays unwanted advertisements.
Read more about malware
- The newly discovered Denonia malware appears to be custom designed to target AWS Lambda environments, and may be the first of its kind.
- A second generation of the Sandworm-linked Industroyer malware has been identified by ESET researchers and Ukraine’s national CERT.
- Unlike its namesake, the newly discovered Borat malware won’t raise a smile for IT security pros.