Vidar infostealer enters top 10 most wanted malware list

The Vidar malware is an infostealer designed to give threat actors backdoor access, enabling them to steal sensitive banking information, login credentials, IP addresses, browser history and crypto wallets from infected devices.

Fake Zoom websites have contributed to its prevalence. Sites such as zoomus[.]website and zoom-download[.]space, were used to lure innocent users into downloading the malware.

CPR, which is the threat intelligence arm of Check Point Software Technologies, has published its latest Global Threat Index for September 2022 and according to Maya Horowitz, VP research at Check Point, all organisations are at risk and must shift to a prevent-first cyber security strategy before it’s too late.

“As the war on the ground continues, so too does the war in cyber space.

“It’s likely no coincidence that the threat ranks of many eastern European countries have increased this last month.

“In terms of the most prevalent malwares in September, it’s interesting to see Vidar leap into the top 10 after a long absence,” Horowitz said.

CPR also revealed that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 43 per cent of organisations worldwide, closely followed by “Apache Log4j Remote Code Execution” which dropped from first place to second, with an impact of 42 per cent.

The month of September also saw education/Research remain in first place as the most attacked industry globally.

VIEW ALL

Topmost attacked industries in Australia

This month the education/research sector remains in first place as the most attacked industry in Australia, followed by government/military and leisure/hospitality.

Top malware families in Australia

*The arrows relate to the change in rank compared to the previous month.

According to CPR, this month, FormBook is still the most prevalent malware, impacting 2.96 per cent of organisations worldwide and 5.10 per cent of organisations in Australia, followed by Emotet with an impact of 2.09 per cent of organisations globally and 1.38 per cent in Australia, and Zegost with an impact of 0.92 per cent of organisations globally and 1.10 per cent in Australia.

1. ↔ FormBook – FormBook is an infostealer targeting Windows OS and was first detected in 2016. It is marketed as a malware-as-a-service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes and can download and execute files according to orders from its C&C.

2. ↔ Emotet – Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan and currently distributes other malware or malicious campaigns. Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection and can be spread via phishing spam emails containing malicious attachments or links.

3. ↑ Zegost – Zegost is a backdoor targeting Windows platform. This malware provides unauthorised remote access to the infected host.

Top malware families in New Zealand

*The arrows relate to the change in rank compared to the previous month.

This month, XMRig returned to top spot as the most widespread malware in September, impacting 2.59 per cent of NZ organisations as well as 2.73 per cent of organisations worldwide. This is followed by Chapak with 0.28 per cent impact globally and 1.29 per cent in New Zealand, equalling Crackonosh with 1.29 per cent impact in New Zealand and 0.70 per cent impact for global organisations.

1. ↑ XMRig – XMRig is open-source CPU software used to mine Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victim’s devices.

2. ↑ Chapak – Chapak is a malware dropper essentially designed to launch a malware by installing it on the victim’s machine after being installed itself. Unlike a downloader, which contacts a remote server in order to receive access to the files it is aimed to install, the dropper already contains the malware when installed on the machine. The Chapak dropper does not damage the infected computer directly but delivers a malware payload or a number of types of malware with various features.

3. ↑ Crackonosh – Crackonosh is a miner malware that was injected into popular software products that had been cracked and made available on distribution platforms known for hosting pirated software. In order to open up a large number of potential victims, the threat operators weaponise cracked video games. Once Crackonosh is initiated, it would replace essential Windows services. The threat is also equipped with anti-detection routines and can delete anti-malware solutions from the compromised system.

Top exploited vulnerabilities

This month, “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 43 per cent of organisations globally. It is followed by “Apache Log4j Remote Code Execution” which dropped from first place to second and impacts 42 per cent of organisations. “Command Injection Over HTTP” jumps into third place, with a global impact of 40 per cent.

1. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow unintentional disclosure of account information.

2. ↓ Apache Log4j Remote Code Execution (CVE-2021-44228) – A remote code execution vulnerability exists in Apache Log4j. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.

3. ↑ Command Injection Over HTTP (CVE-2021-43936,CVE-2022-24086) – A command injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

Top mobile malwares

This month, Anubis jumped into first place as the most widespread mobile malware, followed by Hydra and Joker.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including remote access Trojan (RAT) functionality, keylogger and audio recording capabilities as well as various ransomware features. It has been detected on hundreds of different applications available in the Google Store.

2. Hydra – Hydra is a banking Trojan designed to steal finance credentials by requesting victims to enable dangerous permissions.

3. Joker – An Android spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware can also sign the victim up for paid premium services without their consent or knowledge.

Since the onset of the Russia-Ukraine war, CPR has continued to monitor the impact of cyber attacks in both countries.

While the conflict intensifies, CPR’s Global Threat Index for September noted a significant change in the “threat rank” of many eastern European countries.

The threat rank represents how much an organisation is being attacked in a specific country compared to the rest of the world. During September, Ukraine had jumped 26 places, Poland and Russia moved up 18 places each, and both Lithuania and Romania moved up 17 places, among others.

All these countries are now among the top 25, with the biggest degradation in their ranking occurring in the past month.

[Related: COSBOA, Telstra and CBA team up as free SME cyber security course providers]