Snake Keylogger climbing malware charts, says Check Point

Emotet’s commanding position at the top of the malware threat charts seems as unassailable now as Bryan Adams’ record-breaking run at the top of the UK singles charts seemed in the long, hot summer of 1991, but according to Check Point’s latest monthly countdown, there is plenty of activity back in the pack, with the return of Snake Keylogger particularly noteworthy.

Check Point’s Global Threat Index, covering May 2022, revealed that Snake Keylogger returned to the top 10 in eighth place last month, following a number of novel email campaigns that saw it delivered via a malicious PDF file.

Historically, Snake more usually arrived in the form of a .docx or .xlsx attachment, and Check Point’s analysts theorised that the switch to .pdf format may be a result of Microsoft’s move to block default internet macros in Office.

Check Point said spreading malware via PDF files may also be more effective as people tend to perceive such files to be inherently safer for some reason – potentially the lack of association with Microsoft.

“As evident with the recent Snake Keylogger campaigns, everything you do online puts you at risk of a cyber attack, and opening a PDF document is no exception,” said Maya Horowitz, research vice-president at Check Point Software.

“Viruses and malicious executable code can lurk in multimedia content and links, with the malware attack, in this case Snake Keylogger, ready to strike once a user opens the PDF. Therefore, just as you would question the legitimacy of a .docx or .xlsx email attachment, you must practice the same caution with PDFs too.

“In today’s landscape, it has never been more important for organisations to have a robust email security solution that quarantines and inspects attachments, preventing any malicious files from entering the network in the first place,” said Horowitz.

“As evident with the recent Snake Keylogger campaigns, everything you do online puts you at risk of a cyber attack, and opening a PDF document is no exception”

Meanwhile, Check Point found Emotet impacted 8% of organisations worldwide in May, a slight increase on April, while also holding steady in the number two and three slots were the FormBook infostealer, and the Agent Tesla remote access trojan (RAT) respectively.

The remainder of the top 10 comprises Lokibot, an infostealer; XMRig, a cryptominer; Glupteba, a backdoor-turned-botnet; Ramnit, a banking trojan; Snake Keylogger; Phorpiex, a botnet; and Remcos, another RAT, in that order.

However, in the UK specifically, while Emotet was still the top threat, Snake Keylogger came in second, and there were also appearances from the Qbot banking trojan and Conti ransomware.

The most exploited vulnerability observed by Check Point last month was a series of malicious URL directory traversal vulnerabilities on various web servers, that have arisen due to an input validation error in web server that doesn’t properly sanitise the URL for the directory traversal platforms – some of the CVE numbers on this list date back over 10 years.

This was followed by Log4j, aka Log4Shell, which remains a threat, and an information disclosure vulnerability in Git Repository in third position.

More information on the most exploited vulnerabilities, mobile threats and most targeted industries is available from Check Point.