Ramnit is most widespread malware affecting organizations in Nigeria, says new Global Threat Index

Check Point Research, Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), has released its February 2022 Global Threat Index. Emotet is still the most common virus, affecting 5% of enterprises globally, according to researchers, while Trickbot has fallen to sixth place on the list.

In Nigeria this month, Ramnit is the most prevalent malware impacting 9.64% of organizations in the country, closely followed by Phorpiex which is impacting 8.43% of organizations and Glupteba which is impacting 7.23%.

This month Finance/Banking is the most attacked industry in Nigeria, followed by Insurance/Legal and SI/VAR/Distributor.

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for February 2022.  Researchers report that Emotet is still the most prevalent malware, impacting 5% of organizations worldwide, while Trickbot has slipped even further down the index into sixth place.

ADVERTISEMENT

RELATED   Check Point Software’s 2022 Security Report: Global Cyber Pandemic’s Magnitude Revealed

Trickbot is a botnet and banking trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread laterally within a network and drop ransomware. During 2021, it appeared at the top of the most prevalent malwares list seven times. During the past few weeks, however, Check Point Research, has noted no new Trickbot campaigns and the malware now ranks sixth in the index. This could be due in part to some Trickbot members joining the Conti ransomware group, as suggested in the recent Conti data leak.

This month, CPR has witnessed cybercriminals taking advantage of the Russia/Ukraine conflict in order to lure people to download malicious attachments, and February’s most prevalent malware, Emotet, has indeed been doing just this, with emails that contain malicious files and the subject “Recall: Ukraine -Russia Military conflict: Welfare of our Ukrainian Crew member”.

“Currently we are seeing a number of malwares, including Emotet, take advantage of the public interest around the Russia/Ukraine conflict by creating email campaigns on the topic that lure people into downloading malicious attachments. It’s important to always check that a sender’s email address is authentic, look out for any misspellings in emails and don’t open attachments or click on links unless you are certain that the email is safe.” said Maya Horowitz, VP Research at Check Point Software

ADVERTISEMENT

CPR revealed this month that Education/Research continues to be the most attacked industry globally followed by Government/Military and ISP/MSP. “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 46% of organizations globally, followed by “Apache Log4j Remote Code Execution” which dropped from first to second place and impacts 44% of organizations worldwide. “HTTP Headers Remote Code Execution” is the third most exploited vulnerability, with a global impact of 41%.

Top Malware Families

*The arrows relate to the change in rank compared to the previous month.

ADVERTISEMENT

This month, Emotet is still the most prevalent malware impacting 5% of organizations worldwide, closely followed by Formbook which is impacting 3% of organizations and Glupteba which is impacting 2%. In Nigeria this month, Ramnit is the most prevalent malware impacting 9.64% of organizations in the country, closely followed by Phorpiex which is impacting 8.43% of organizations and Glupteba which is impacting 7.23%.

1. ↔ Ramnit – Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules..
2. ↑ Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
3. ↑ Glupteba – Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter..

Top Attacked Industries Globally

This month Finance/Banking is the most attacked industry in Nigeria , followed by Insurance/Legal and SI/VAR/Distributor.

1. Finance/Banking
2. Insurance/Legal
3. SI/VAR/Distributor

 Top Exploited Vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 46% of organizations globally, followed by “Apache Log4j Remote Code Execution” which has dropped from first place to second and impacts 44% of organizations worldwide. “HTTP Headers Remote Code Execution” is the third most exploited vulnerability, with a global impact of 41%.

1. ↑ Web Server Exposed Git Repository Information Disclosure– An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
2. ↓Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
3. ↔HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with a HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim’s machine.

Top Mobile Malwares

This month XLoader is the most prevalent mobile malware, followed by xHelper and AlienBot.

3. XLoader – XLoader is an Android Spyware and banking Trojan developed by the Yanbian Gang, a Chinese hacker group. This malware uses DNS spoofing to distribute infected Android apps to collect personal and financial information.
4. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user and reinstalling itself in case it was uninstalled.
5. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker to firstly inject malicious code into legitimate financial applications then allows the attacker to obtain access to the victims’ accounts, and eventually completely control their device.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, The Intelligence & Research Arm of Check Point Software Technologies.

The complete list of the top 10 malware families in February can be found on the Check Point blog.

Blog: https://research.checkpoint.com/