May 2022’s Most Wanted Malware: Snake Keylogger Returns to the Top Ten after a long absence

Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for May 2022. Researchers report that Emotet, an advanced, self-propagating and modular Trojan, is still the most prevalent as a result of multiple widespread campaigns. This month, Snake Keylogger has jumped into eighth place after a long absence from the index. Snake’s main functionality is to record users keystrokes and transmit collected data to threat actors.

Snake Keylogger is usually spread through emails that include docx or xlsx attachments with malicious macros, however this month researchers reported that SnakeKey Logger has been spread via PDF files. This could be due in part to Microsoft blocking by default internet macros in Office, meaning cybercriminals have had to become more creative, exploring new file types such as PDFs. This rare way to spread malware is proving to be quite effective as some people perceive PDFs to be inherently safer than other file types.

Emotet, is impacting 8% of organizations worldwide, a slight increase from last month. This malware is an agile malware proving profitable due to its ability to remain undetected. Its persistence also makes it difficult to be removed once a device has been infected, making it the perfect tool in a cybercriminal’s arsenal. Originally a banking trojan, it is often distributed through phishing emails and has the ability to offer other malwares, enhancing its capacity to cause widespread damage.

“As evident with the recent Snake Keylogger campaigns, everything you do online puts you at risk of a cyberattack, and opening a PDF document is no exception,” said Maya Horowitz, VP Research at Check Point Software. “Viruses and malicious executable code can lurk in multimedia content and links, with the malware attack, in this case Snake Keylogger, ready to strike once a user opens the PDF. Therefore, just as you would question the legitimacy of a docx or xlsx email attachment, you must practice the same caution with PDFs too. In today’s landscape it has never been more important for organizations to have a robust email security solution that quarantines and inspects attachments, preventing any malicious files from entering the network in the first place.”

CPR also revealed that “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution” which has a global impact of 46%. “Web Server Exposed Git Repository Information Disclosure” is in third place with a global impact of 45%. The Education & Research sector continues to be the most targeted industry by cybercriminals globally.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

This month, Emotet is still the most popular malware with a global impact of 8%, followed by Formbook with an impact of 2% and AgentTesla impacting 2% of organizations worldwide.

↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used as a banking Trojan, but recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.

↔ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware-as-a-Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.

↔ Agent Tesla – Agent Tesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook.)

The complete list of the top ten malware families in May can be found on the Check Point blog.

Top Attacked Industries Globally

This month Education/Research is the most attacked industry globally, followed by Government/Military and Internet Service Providers & Managed Service Providers (ISP & MSP).

Education & Research

Government & Military

Internet Service Providers & Managed Service Providers (ISP & MSP)

Top Exploited Vulnerabilities

This month, “Web Servers Malicious URL Directory Traversal” is the most commonly exploited vulnerability, impacting 46% of organizations worldwide, closely followed by “Apache Log4j Remote Code Execution” which has a global impact of 46%. “Web Server Exposed Git Repository Information Disclosure” is in third place with a global impact of 45%.

↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260)- There exists a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.

↔ Apache Log4j Remote Code Execution (CVE-2021-44228)- A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

↓ Web Server Exposed Git Repository Information Disclosure- An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.

Top Mobile Malwares

This month AlienBot is the most prevalent Mobile malware, followed by FluBot and xHelper.

AlienBot - AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.

FluBot - FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list as well as sending SMS messages to other phone numbers.

xHelper - A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and reinstalling itself in the case that it was uninstalled.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The Intelligence & Research Arm of Check Point Software Technologies.

The complete list of the top ten malware families in May can be found on the Check Point blog.