FormBook knocks Emotet off top of malware chart

The FormBook infostealer has ended a seven-month period of dominance for the Emotet trojan-turned-botnet, becoming the most widespread observed malware in August 2022, according to Check Point’s latest Global threat index.

FormBook targets Windows systems and has been around for six years. It is sold as a malware-as-a-service (MaaS) product on cyber criminal forums, and is favoured for its low cost and advanced evasion capabilities.

Deployed against a target system, it harvests credentials from web browsers, collects screenshots, monitors and logs keystrokes, and is capable of downloading and executing files if called upon to do so.

At the same time, the mobile malware index saw movement last month, with Joker – an Android-based malware that steals SMS messages, contact lists and device information, and signs its victims up for paid premium services – surging from the fifth to third most widely seen threat.

“The shifts that we see in this month’s index, from Emotet dropping from first to fifth place, to Joker becoming the third most prevalent mobile malware, is reflective of how fast the threat landscape can change,” said Maya Horowitz, Check Point’s vice-president of research.

“This should be a reminder to individuals and companies alike of the importance of keeping up to date with the most recent threats as knowing how to protect yourself is essential. Threat actors are constantly evolving and the emergence of FormBook shows that we can never be complacent about security and must adopt a holistic, prevent-first approach across networks, endpoints and the cloud.”

The other most widespread malwares observed in August were the Agent Tesla remote access trojan (RAT), which moved up from seventh to second place compared to July; while XMRig, an open source cryptominer, held steady in third position.

The rest of the top 10 most widely seen malwares in August were as follows:

• Guloader, a downloader for a number of remote access trojans (RATs) and infostealers including FormBook and Agent Tesla;
• Emotet;
• NJRat another RAT that targets mainly government agencies and organisations in the Middle East;
• Remcos, a RAT distributed via malicious Microsoft Office attachments and cleverly designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges;
• SnakeKeylogger, a modular .net keylogger first seen in 2020;
• Ramnit, a modular banking trojan first seen in 2020, capable of stealing account credentials for all services used by its victims;
• And Phorphiex, a long-standing botnet that distributes other malwares and is a driving force behind multiple widespread spam and sextortion campaigns.

The top three mobile malwares observed during the period were:

• AlienBot, an Android banking trojan sold online as a MaaS, which supports keylogging, credential theft, and SMS harvesting of multifactor authentication (MFA) tokens.
• Anubis, another banking trojan that has had other functions added over time, including RAT functionality, keylogging and audio recording capabilities, and can be found on hundreds of different applications lurking in the Google Store;
• And the above-mentioned Joker spyware.

Check Point shared new insight into some of the most widely exploited vulnerabilities observed in the wild last month, with CVE-2021-44228, or Log4Shell to the layman, still the most commonly observed vulnerability, impacting 44% of organisations globally.

First reported on late in 2021, Log4Shell, which affects Apache Log4j, a component of thousands of software builds, and has been described as a “design failure of catastrophic proportions”.

Also widely observed in August were an information disclosure vulnerability reported in Git Repository, successful exploitation of which could enable unintentional disclosure of account information, and a series of directory traversal vulnerabilities on different web servers – some of them dating back to 2010 – which collectively enable unauthenticated actors to disclose or access arbitrary files on a vulnerable server.

It is important to note that data gathered by cyber security companies for scheduled reporting is in general drawn from proprietary sources and network telemetry. It does not necessarily present a true or complete picture of the threat landscape, and should be read in conjunction with multiple other sources.