The veteran Qbot or Qakbot banking trojan, the Lokibot commodity infostealer, and the AgentTesla remote access trojan (RAT) were the most prevalent malwares observed during January 2023, according to the latest monthly Global threat index from Check Point, but the first few weeks of the year also saw the return of the Vidar infostealer and njRAT malware following a number of new campaigns.
Vidar was first observed in 2018, and is designed to steal credentials, credit card data and other information from web browsers and digital wallets. It can be easily bought on underground forums, and was notably used in 2019 as a dropper to download the GandCrab ransomware.
The re-entry of Vidar into the top 10 follows a marked increase in instances of so-called brandjacking observed in Check Point’s telemetry. In one observed campaign, Vidar was spread via fake domains that seemed to be associated with AnyDesk, a remote desktop application.
The malware operators used URL jacking for various applications to redirect people to a single IP address that seemed to be the official AnyDesk website, but was in fact a malicious domain hosting Vidar. If installed, the malware masquerades as a legit installer, but steals data in the background.
The njRAT trojan, which is a new entry at number 10 on the chart, is another venerable malware dating back 11 years, and is capable of logging keystrokes, accessing device cameras if present, stealing data, uploading and downloading files, performing process and file manipulations, and viewing victim desktops.
It generally spreads through phishing attacks and drive-by downloads, and is often propagated through infected USB keys or networked drives. In the latest campaign observed, dubbed Earth Bogle, njRAT was seen spreading among target organisations in the Middle East and North Africa, with its lures often linked to geopolitical themes.
“Once again, we’re seeing malware groups use trusted brands to spread viruses, with the aim of stealing personal identifiable information,” said Check Point research vice-president Maya Horowitz. “I cannot stress enough how important it is that people pay attention to the links they are clicking on to ensure they are legitimate URLs. Look out for the security padlock, which indicates an up-to-date SSL certificate, and watch for any hidden typos that might suggest the website is malicious.”
The January top 10 shakes out as follows:
- Qbot or Qakbot, a banking trojan spread via spam that employs a number of anti-VM, -debugging and -sandbox techniques to avoid analysis and detection.
- Lokibot, a commodity infostealer for Windows and Android that occasionally has ransomware capabilities built in.
- AgentTesla, a more advanced RAT functioning as a keylogger and infostealer.
- Formbook, another infostealer often sold as-a-service on account of its strong evasion techniques and low price.
- XMRig, an open source CPU miner deployed to illicitly mine the Monero cryptocurrency.
- Emotet, the ever-popular banking trojan-cum-RAT that widely serves as a precursor to ransomware attacks.
- GuLoader, a downloader that can bring with it multiple other infostealers and RATs, including the likes of AgentTesla and Formbook.
- Nanocore, a RAT used for screen capture, cryptomining, desktop remote control, and webcam session theft.
- And njRAT.
The latest set of data also shows the most widely exploited vulnerabilities in January, with the most compromises effected through an information disclosure vulnerability in Git Repository, which is frequently observed in Check Point’s monthly reports and last month impacted 46% of organisations globally.
In second position was a series of remote code execution (RCE) vulnerabilities in how HTTP Headers let clients and servers pass additional information, which were disclosed in 2020, and could allow an attacker to run arbitrary code. This vulnerability chain was seen affecting 42% of organisations worldwide.
The third-most widely exploited vulnerability of the month was another RCE vulnerability in MVPower DVR devices, which affected 39% of organisations.
Other big-time classics widely observed in January include Apache Log4j (Log4Shell, or CVE-2021-44228), which continues to linger, and the Heartbeat OpenSSL vulnerabilities (CVE-2014-0160 and CVE-2014-0346) that led to the Heartbleed incident of 2014.