Trickbot tops most popular malware in September 2021

Check Point Research has revealed that Trickbot is once again the most popular malware, according to a Global Threat Index report for September 2021. A remote access trojan, njRAT, was also added to the top 10 report for first time ever.

TrickBot traces its roots back to 2016 as a modular banking trojan designed to steal financial data, credentials and personal data, as well as distribute other malware to infected systems.

Bad actors typically delivered TrickBot via email campaigns based on current events (such as COVID-19) or financial incentives to trick users into opening up malicious file attachments (such as Word or Excel macro-enabled docs).

Over the past several years, TrickBot added detection evasion features and redirect victims to fake websites to steal banking credentials, just to name a few.

Last year, researchers discovered TrickBot further added a propagation module with nworm to evade detection and target Active Directory domain controllers.

According to the latest Check Point Research (CPR) report, Trickbot continued to add new features and gain popularity after authorities took down Emotet in January of this year.

“It is constantly being updated with new capabilities, features and distribution vectors which enables it to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns,” CPR wrote in a blog post on October 8, 2021.

However, one of the Trickbot group’s members was arrested in the same month of September after previous US cybercriminal investigations.

Top malware families

According to the research, the top ten most popular malware families include (as of September, 2021):

1. Trickbot banking trojan and modular botnet
2. Formbook infostealer
3. XMRig cryptocurrency CPU mining malware
4. Agent Tesla remote access trojan (RAT)
5. Glupteba backdoor
6. Remcos remote access trojan (RAT)
7. Tofsee backdoor trojan
8. Ramnit banking trojan
9. Floxif infostealer and backdoor
10. njRAT remote access trojan (RAT).

In addition to the newly added njRAT trojan, Trickbot, XMRig, Tofsee, and Floxif also moved up the list as compared to the previous month. The others dropped or remained the same from August.

CPR also added that Trickbot affected 4% of organizations worldwide. Whereas Formbook and XMRig each impacted 3% of all global entities.

To add, xHelper, AlienBot and FluBot were the most popular mobile malware threats.

Top most exploited Vulnerabilities

Moreover, CPR also listed these top 10 most exploited vulnerabilities:

1. Web Server Exposed Git Repository Information Disclosure
2. Command Injection Over HTTP
3. HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756)
4. Web Servers Malicious URL Directory Traversal (CVE-2010-4598, CVE-2011-2474, CVE-2014-0130, CVE-2014-0780, CVE-2015-0666, CVE-2015-4068, CVE-2015-7254, CVE-2016-4523, CVE-2016-8530, CVE-2017-11512, CVE-2018-3948, CVE-2018-3949, CVE-2019-18952, CVE-2020-5410, CVE-2020-8260)
5. MVPower DVR Remote Code Execution
6. Dasan GPON Router Authentication Bypass (CVE-2018-10561)
7. Apache Struts2 Content-Type Remote Code Execution (CVE-2017-5638, CVE-2017-5638, CVE-2019-0230)
8. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160, CVE-2014-0346)
9. NoneCMS ThinkPHP Remote Code Execution (CVE-2018-20062)
10. Netgear DGN Unauthenticated Command Execution.

CPR explained that the top 3 on this list each impacted almost half of organizations worldwide.

“CPR also revealed this month that ‘Web Server Exposed Git Repository Information Disclosure’ is the most commonly exploited vulnerability, impacting 44% of organizations globally, followed by ‘Command Injection Over HTTP’ which affects 43% of organizations worldwide. ‘HTTP Headers Remote Code Execution’ takes third place in the top exploited vulnerabilities list, with a global impact of 43% as well,” CPR said in the report.

It is also noteworthy that some of these vulnerabilities have continued to be the most commonly exploited vulnerabilities for several years now, such as IoT vulnerability exploits or Verint’s Top 20 most exploited vulnerabilities released in December 2019.

Also, external facing systems, such as web servers, routers and remote virtual private network (VPN) devices continue to be popular targets.

Readers can review the full Check Point Research report for more details, as well as related articles below.

Related Articles

• Botnet malware targets Linux systems and cloud management tools
• Hackers exploit Apache Solr instances with cryptocurrency miner
• Oracle vulnerability exploited to deliver dual Monero miners
• Spearphishing campaign targets Oil and Gas sector to drop Agent Tesla malware
• Agent Tesla malware discovered
• HawkEye Reborn: Password Stealer and Keylogger threat
• Worm uses removable drives to install BLADABINDI backdoor
• The top 20 vulnerabilities to patch now (that are most under attack)
• Cobian RAT backdoor threat
• Alert: Attackers exploiting Pulse Connect Secure vulnerabilities (updated)
• New Mirai variant exploits IoT devices
• The top 20 vulnerabilities to patch now (that are most under attack)
• New Mirai variant exploits IoT devices
• Apache patches two Struts 2 vulnerabilities
• QNAP and other network storage makers issue security advisories on OpenSSL flaws
• Netgear fixes high risk vulnerability in multiple routers and network devices
• APKPure Android store app infected with malware
• FluBot: Beware of this Android password-stealing malware