Check Point Software Technologies’ Global Threat Index for February has seen Remcos Trojan return to the top 10 list for the first time since December 2022, after it was reported being used by threat actors to target Ukrainian government entities through phishing attacks.
According to the report, conducted by Check Point Research (CPR), Emotet Trojan and Formbook Infostealer placed second and third respectively, while education/research remained the most targeted industry, followed by government/military and healthcare.
Despite researchers identifying a 44 per cent decrease in the average number of weekly attacks per organization between October 2022 and last month, Ukraine remains a popular target for cybercriminals following the Russian invasion.
“In the most recent campaign, attackers impersonated Ukrtelecom JSC in a mass email distribution, using a malicious RAR attachment to spread the Remcos Trojan,” authors of the report note.
“Once installed, the tool opens a backdoor on the compromised system, allowing full access to the remote user for activities such as data exfiltration and command execution. The ongoing attacks are believed to be linked to cyberespionage operations due to the behavior patterns and offensive capabilities of the incidents.”
Researchers also revealed that “while there has been a decrease in the number of politically motivated attacks on Ukraine, they remain a battleground for cybercriminals. Hacktivism has typically been high on the agenda for threat actors since the Russo-Ukrainian war began and most have favored disruptive attack methods such as DDoS to garner the most publicity.
“However, the latest campaign used a more traditional route of attack, using phishing scams to obtain user information and extract data. It’s important that all organizations and government bodies follow safe security practices when receiving and opening emails.”
This includes not downloading attachments without scanning them first, avoiding clicking on links within the body of the email, and checking the sender address for any abnormalities such as additional characters or misspellings, the report stated.
Qbot was the most prevalent malware last month, impacting more than seven per cent of organizations worldwide. This was followed by FormBook, with a global impact of five per cent, and Emotet, with a global impact of four per cent.
The top 10 malware families were as follows (descriptions courtesy of CPR):
Qbot – Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
FormBook – FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C (Command & Control).
Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet once used to be employed as a banking Trojan, and recently has been used as a distributor to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
XMRig – XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
GuLoader – GuLoader is a downloader that has been widely used since December 2019. When it first appeared, GuLoader was used to download Parallax RAT but has been applied to other remote access trojans and info-stealers such as Netwire, FormBook, and Agent Tesla.
NanoCore – NanoCore is a Remote Access Trojan (RAT) that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows’s UAC security and execute malware with high-level privileges.
Tofsee – Tofsee is a Trickler that targets the Windows platform. This malware attempts to download and execute additional malicious files on target systems. It may download and display an image file to a user to hide its true purpose.
Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.