Check Point Software's latest threat index reveals a significant rise in Infostealers like Lumma Stealer, while mobile malware like Necro continues to pose a significant threat, highlighting the evolving tactics used by cyber criminals across the globe.

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading cyber security platform provider of AI-powered, cloud delivered solutions, has released its Global Threat Index for October 2024. This month's report highlights a concerning trend in the cyber security landscape: the rise of Infostealers and the sophistication of attack methods employed by cyber criminals.  The Index continues to highlight African countries' vulnerabilities with Ethiopia, Angola and Uganda ranked as the most attacked of the over 100 countries surveyed.

Last month researchers discovered an infection chain where fake CAPTCHA pages are being used to distribute Lumma Stealer malware, which has climbed to 4th place in the Monthly Top Malware rankings. This campaign is notable for its global reach, affecting multiple countries through two primary infection vectors: one involving cracked game download URLs and the other through phishing emails targeting GitHub users as an innovative new means of attack vector.

The infection process misleads victims into executing a malicious script that has been copied to their clipboard, showcasing the increasing prevalence of Infostealers as an effective means for cyber criminals to exfiltrate credentials and sensitive data from compromised systems.

In the mobile malware sphere, the new version of Necro has emerged as a significant threat, ranking 2nd among mobile malwares. Necro has infected various popular applications, including game mods available on Google Play, with a cumulative audience of over 11 million Android devices. The malware employs obfuscation techniques to evade detection and uses steganography, which is the practice of concealing information within another message or physical object to avoid detection, to conceal its payloads.Once activated, it can display ads in invisible windows, interact with them, and even subscribe victims to paid services, highlighting the evolving tactics used by attackers to monetise their operations.

Maya Horowitz, VP of Research at Check Point Software, commented on the current threat landscape, stating, "The rise of sophisticated infostealers underscores a growing reality. Cyber criminals are evolving their methods and leveraging innovative attack vectors. Organisations must go beyond traditional defenses, adopting proactive and adaptive security measures that anticipate emerging threats to counter these persistent challenges effectively".

Cyber Security Trends in Africa

Cybers security threats are escalating across Africa, with several countries appearing prominently in the global rankings for cyber-attacks. According to Check Point's latest data:

·       Ethiopia ranks as the most attacked country and holds the top global position with a Normalised Risk Index of 96.8 reflecting the heightened cyber threat landscape in the region.

·       Angola and Uganda are also among the most vulnerable. Angola is ranked 4th globally with a Normalised Risk Index of 74, and Uganda is ranked 10th globally with a Normalised Risk Index of 61.

·       Other African countries in the top 20 most targeted are:

o   Ghana ranked 12th with a Normalised risk index of 58.2

o   Nigeria ranked 14th with a Normalised Risk Index of 55.1

o   Mozambique ranked 16th with a Normalised Risk Index of 53.5

o   Kenya ranked 18th with a Normalised Risk Index of 53.4

 

Where is South Africa in Terms of Threat index?

 

·       Global Ranking: South Africa is ranked 63rd in the Global Threat Index, Normalised Risk Index of 37.1, highlighting a relatively lower position compared to other African countries, but still facing significant cyber threats.

·       High Incidence of Malware: Despite being 63rd globally, South Africa continues to experience frequent malware attacks, with FakeUpdates being among the most prevalent malware strains affecting organisations across the country.

·       Targeted Sectors: The finance/banking and government/military sectors in South Africa are particularly targeted, facing ongoing threats that jeopardise critical data and national security.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates is the most prevalent malware this month with an impact of 6% worldwide organisations, followed by Androxgh0st with a global impact of 5%, and AgentTesla with a global impact of 4%.

1.   ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.

2.     ↔ Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.

3.     ↑ AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim's keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).

4.     ↑ Lumma Stealer - Lumma Stealer, also referred to as LummaC2, is a Russian-linked information-stealing malware that has been operating as a Malware-as-a-Service (MaaS) platform since 2022. This malware, discovered in mid-2022, is continuously evolving and actively distributed on Russian-language forums. As a typical information-stealer, LummaC2 focuses on harvesting various data from infected systems, including browser credentials and cryptocurrency account information.

5.     ↓ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.

6.     ↑ NJRat - NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.

7.     ↑ AsyncRat - Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.

8.     ↑ Remcos - Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.

9.     ↔ Glupteba - Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.

10.  ↓ Vidar- Vidar is an infostealer malware operating as malware-as-a-service that was first discovered in the wild in late 2018. The malware runs on Windows and can collect a wide range of sensitive data from browsers and digital wallets. Additionally, the malware is used as a downloader for ransomware.

Top Exploited Vulnerabilities

1.     ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598,CVE-2011-2474,CVE-2014-0130,CVE-2014-0780,CVE-2015-0666,CVE-2015-4068,CVE-2015-7254,CVE-2016-4523,CVE-2016-8530,CVE-2017-11512,CVE-2018-3948,CVE-2018-3949,CVE-2019-18952,CVE-2020-5410,CVE-2020-8260) - There exists a directory traversal vulnerability On different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.

2.     ↓ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) - A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

3.     ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) - A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.

Top Mobile Malwares

This month Joker in the 1st place in the most prevalent Mobile malware, followed by Necro and Anubis.

1.     ↔ Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.

2.     ↑ Necro - Necro is an Android Trojan Dropper. It is capable of downloading other malware, showing intrusive ads and stealing money by charging paid subscriptions.

3.     ↓ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.

Top-Attacked Industries Globally

This month Education/Research remained in the 1st place in the attacked industries globally, followed by Government/Military and Communications.

 

1.     Education/Research

2.     Government/Military

3.     Communications

Top Ransomware Groups

The data is based on insights from ransomware "shame sites" run by double-extortion ransomware groups which posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 17% of the published attacks, followed by Play with 10% and Meow with 5%.

1.     RansomHub - RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.

2.     Play - Play Ransomware, also referred to as PlayCrypt, is a ransomware that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.

3.     Meow - Meow Ransomware is a variant based on the Conti ransomware, known for encrypting a wide range of files on compromised systems and appending the ". MEOW" extension to them. It leaves a ransom note named "readme.txt," instructing victims to contact the attackers via email or Telegram to negotiate ransom payments. Meow Ransomware spreads through various vectors, including unprotected RDP configurations, email spam, and malicious downloads, and uses the ChaCha20 encryption algorithm to lock files, excluding ".exe" and text files.

Follow Check Point via:  

LinkedIn: https://www.linkedin.com/company/check-point-software-technologies

X: https://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: https://blog.checkpoint.com

YouTube: https://www.youtube.com/user/CPGlobal

About Check Point Research  

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.  

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading AI-powered, cloud-delivered cyber security platform provider protecting over 100,000 organizations worldwide. Check Point leverages the power of AI everywhere to enhance cyber security efficiency and accuracy through its Infinity Platform, with industry-leading catch rates enabling proactive threat anticipation and smarter, faster response times. The comprehensive platform includes cloud-delivered technologies consisting of Check Point Harmony to secure the workspace, Check Point CloudGuard to secure the cloud, Check Point Quantum to secure the network, and Check Point Infinity Core Services for collaborative security operations and services.