November 2024's Most Wanted Malware: Androxgh0st Leads the Pack, Targeting IoT Devices and Critical Infrastructure

Check Point Software's latest threat index highlights the rise of Androxgh0st, a Mozi-integrated botnet, and ongoing threats from Joker and Anubis, showcasing evolving cybercriminal tactics. Seven African countries among the top 20 most attacked.

Johannesburg, South Africa - December 10th 2024 – Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader of cyber security solutions, has released its ", emphasizing the growing sophistication of cyber criminals. The report highlights the swift ascent of Androxgh0st, now integrated with the Mozi botnet, as it continues to target critical infrastructure worldwide.

Critical infrastructure—spanning energy grids, transportation systems, healthcare networks, and more—remains a prime target for cybercriminals due to its indispensable role in daily life and its vulnerabilities. Disrupting these systems can lead to widespread chaos, financial losses, and even threats to public safety.

African countries continue to be among those most targeted by malware attacks.  Of the top 20 countries attacked in November, seven are on the continent.  Ethiopia is the most attacked country of the 107 surveyed, while Zimbabwe ranked 4th with a 82,8% Normalised Risk Index, Uganda 9th and Angola 10th, with a Normalised Risk Index of 67,8- and 67,5% respectively, Ghana 13th with a Normalised Risk Index of 62%, Mozambique 17th with a Normalised Risk Index of 58,3%, Nigeria 19th and Kenya 20th, with a Normalised Risk Index of 56,9- and 55,8% respectively.  South Africa moved down the rankings to be positioned at 67th with a Normalised Risk Index of 39,1%.

"Researchers have discovered that Androxgh0st, now at the top of the malware rankings, is exploiting vulnerabilities across multiple platforms, including IoT devices and web servers, key components of critical infrastructure. By adopting tactics from Mozi, it targets systems using remote code execution and credential-stealing methods to maintain persistent access enabling malicious activities like DDoS attacks and data theft. The botnet infiltrates critical infrastructures through unpatched vulnerabilities, and the integration of Mozi's capabilities has significantly expanded Androxgh0st's reach, allowing it to infect more IoT devices and control a broader range of targets. These attacks create cascading effects across industries, highlighting the high stakes for governments, businesses, and individuals reliant on these infrastructures," says

Among the top mobile malware threats, Joker remains the most prevalent, followed by Anubis and Necro. Joker continues to steal SMS messages, contacts, and device information while silently subscribing victims to premium services. Meanwhile, Anubis, a banking Trojan, has gained new features, including remote access, keylogging, and ransomware functionality.

Maya Horowitz, VP of Research at Check Point Software, commented on the evolving threat landscape, stating, "The rise of Androxgh0st and the integration of Mozi illustrates how cyber criminals are constantly evolving their tactics. Organisations must adapt quickly and implement robust security measures that can identify and neutralize these advanced threats before they can cause significant damage."

Top malware families

*The arrows relate to the change in rank compared to the previous month.

Androxgh0st is the most prevalent malware this month with an impact of 5% worldwide organizations, closely followed by FakeUpdates with an impact of 5%, and AgentTesla with 3%.

    ↑ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.

    ↓ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.

    ↔ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim's keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).

    ↑ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.

    ↑ Remcos - Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.

    ↔ AsyncRat - Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.

    ↓ NJRat - NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.

    ↑ Phorpiex - Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.

    ↑ Cloud Eye - CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims' computers.

    ↑ Rilide - A malicious browser extension that targets Chromium-based browsers, mimicking legitimate software to infiltrate systems. It exploits browser functionalities to execute harmful activities like monitoring web browsing, capturing screenshots, and injecting scripts to steal cryptocurrency. Rilide operates by downloading other malware, recording user activities, and can even manipulate web content to deceive users into unauthorized actions.

Top exploited vulnerabilities

    ↑ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) - A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

    ↑ Web Server Exposed Git Repository Information Disclosure - An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

    ↑ ZMap Security Scanner (CVE-2024-3378) - ZMap is a vulnerability scanning product. Remote attackers can use ZMap to detect vulnerabilities on a target server.

Top Mobile Malwares

This month Joker in the 1st place in the most prevalent Mobile malware, followed by Anubis and Necro.

 

    ↔ Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.

    ↑ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.

    ↓ Necro - Necro is an Android Trojan Dropper. It is capable of downloading other malware, showing intrusive ads and stealing money by charging paid subscriptions.

Top-Attacked Industries Globally

This month Education/Research remained in the 1st place in the attacked industries globally, followed by Communications and Government/Military.

    Education/Research

    Communications

    Government/Military

Top Ransomware Groups

The data is based on insights from ransomware "shame sites" run by double-extortion ransomware groups which posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 16% of the published attacks, followed by Akira with 6% and Killsec3 with 6%.

    RansomHub - RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.

    Akira - Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a ". akira" extension to file names, then presents a ransom note demanding payment for decryption.

    KillSec3 - KillSec is a Russian-speaking cyber threat group that emerged in October 2023. Operating a Ransomware-as-a-Service (RaaS) platform, the group also offers a range of other offensive cybercriminal services, including DDoS attacks and so-called "penetration testing services." A review of their victim list reveals a disproportionately high number of targets in India and an unusually low proportion of U.S. victims compared to similar groups. Their primary targets include the healthcare and government sectors.

 

Follow Check Point via:  

LinkedIn: https://www.linkedin.com/company/check-point-software-technologies

X: https://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: https://blog.checkpoint.com

YouTube: https://www.youtube.com/user/CPGlobal

 

About Check Point Research  

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.  

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading AI-powered, cloud-delivered cyber security platform provider protecting over 100,000 organizations worldwide. Check Point leverages the power of AI everywhere to enhance cyber security efficiency and accuracy through its Infinity Platform, with industry-leading catch rates enabling proactive threat anticipation and smarter, faster response times. The comprehensive platform includes cloud-delivered technologies consisting of Check Point Harmony to secure the workspace, Check Point CloudGuard to secure the cloud, Check Point Quantum to secure the network, and Check Point Infinity Core Services for collaborative security operations and services.

 

Legal Notice Regarding Forward-Looking Statements  

This press release contains forward-looking statements. Forward-looking statements generally relate to future events or our future financial or operating performance. Forward-looking statements in this press release include, but are not limited to, statements related to our expectations regarding future growth, the expansion of Check Point's industry leadership, the enhancement of shareholder value and the delivery of an industry-leading cyber security platform to customers worldwide. Our expectations and beliefs regarding these matters may not materialize, and actual results or events in the future are subject to risks and uncertainties that could cause actual results or events to differ materially from those projected. The forward-looking statements contained in this press release are also subject to other risks and uncertainties, including those more fully described in our filings with the Securities and Exchange Commission, including our Annual Report on Form 20-F filed with the Securities and Exchange Commission on April 2, 2024. The forward-looking statements in this press release are based on information available to Check Point as of the date hereof, and Check Point disclaims any obligation to update any forward-looking statements, except as required by law.