February 2024’s Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign

Check Point Software Technologies Ltd. has published its Global Threat Index for February 2024. Last month researchers uncovered a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to infiltrate websites by utilizing altered editions of authentic WordPress plugins, and tricking individuals into downloading a Remote Access Trojan. Meanwhile, even following its takedown towards the end of February, Lockbit3 remained the most prevalent ransomware group, responsible for 20% of published attacks, and education continued to be the most impacted industry worldwide. In India, Healthcare remained the most impacted industry last month followed by Education/Research and Consultant.

FakeUpdates, also known as SocGholish, has been operational since at least 2017, and uses JavaScript malware to target websites, especially those with content management systems. Often ranked the most prevalent malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malicious software and despite efforts to stop it, it remains a significant threat to website security and user data. This sophisticated malware variant has previously been associated with the Russian cybercrime group known as Evil Corp. Due to its downloader functionality, it is believed that the group monetizes the malware by selling access to the systems that it infects, leading to other malware infections if the group provides access to multiple customers.

“Websites are the digital storefronts of our world, crucial for communication, commerce, and connection,” stated Maya Horowitz, VP of Research at Check Point Software. “Defending them from cyberthreats isn’t just about safeguarding code; it is about protecting our online presence and the essential functions of our interconnected society. If cybercriminals choose to use them as a vehicle to covertly spread malware, that could impact future revenue generation and the reputation of an organization. It is vital to put preventative measures in and adopt a culture of zero tolerance to ensure absolute protection from threats”.

Check Point’s threat index also includes insights from around 200 ransomware “shame sites” run by double-extortion ransomware groups, 68 of which posted victim information this year to pressure non-paying targets. Lockbit3 once again took the lead last month accounting for 20% of those incidents reported, followed by Play at 8%, and 8base at 7%. Entering the top three for the first time, Play, claimed responsibility for a recent cyberattack on the city of Oakland.

Last month, the most exploited vulnerability was “Web Servers Malicious URL Directory Traversal,” impacting 51% of organizations globally, followed by “Command Injection Over HTTP,” and “Zyxel ZyWALL Command Injection” with 50% respectively.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

FakeUpdates was the most prevalent malware last month with an impact of 5% worldwide organizations, followed by Qbot with a global impact of 3%, and Formbook with a global impact of 2%.

1. ↔ FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
2. ↔ Qbot – Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008. It was designed to steal a user’s credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection. Commencing in 2022, it emerged as one of the most prevalent Trojans.
3. ↔ Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. Formbook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.

Top exploited vulnerabilities 

Last month, “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 51% of organizations globally, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection” with a global impact of 50% respectively.

1. ↑ Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260) – There is a directory traversal vulnerability on different web servers. The vulnerability is due to an input validation error in a web server that does not properly sanitize the URI for the directory traversal patterns. Successful exploitation allows unauthenticated remote attackers to disclose or access arbitrary files on the vulnerable server.
2. ↓ Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
3. ↑ Zyxel ZyWALL Command Injection (CVE-2023-28771) – A command injection vulnerability exists in Zyxel ZyWALL. Successful exploitation of this vulnerability would allow remote attackers to execute arbitrary OS commands in the effected system.

Top Mobile Malwares

Last month Anubis remained in first place as the most prevalent Mobile malware, followed by AhMyth and Hiddad.

1. Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
2. AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.

1. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

Top-Attacked Industries Globally

Last month, Education/Research remained in first place in the attacked industries globally, followed by Government/Military and Healthcare.

1. Education/Research
2. Government/Military
3. Healthcare

Top Ransomware Groups
This section features information derived from almost 200 ransomware “shame sites” operated by double-extortion ransomware groups. Cybercriminals use these sites to amplify pressure on victims who do not pay the ransom immediately. The data from these shame sites carries its own biases, but still provides valuable insights into the ransomware ecosystem, which is currently the number one risk to businesses.

LockBit3 was the most prevalent ransomware group last month, responsible for 20% of the published attacks, followed by Play with 8%, and 8base with 7%.

1. Lockbit3 – LockBit3 is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States.
2. Play – Play is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.
3. 8base – The 8Base threat group is a ransomware gang that has been active since at least March 2022. It gained significant notoriety in mid-2023 due to a notable increase in its activities. This group has been observed using a variety of ransomware variants, with Phobos being a common element. 8Base operates with a level of sophistication, evidenced by their use of advanced techniques in their ransomware. The group’s methods include double extortion tactics.