Check Point Research reports that Trickbot trojan continues to remain the top malware threat in the UAE with a significant increase in its impact while Floxif makes a leap to the second spot.
Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for May 2021. Researchers reported that Trickbot trojan continues to target an increasing number of organizations every month in the UAE, impacting an imposing 15% in May 2021 as compared to 9% in April 2021. Floxif, an info stealer and backdoor designed for Windows OS which was used in 2017 as part of a large scale campaign in which attackers inserted Floxif (and Nyetya) into the free version of CCleaner (a cleanup utility), thus infecting more than 2 million users, amongst them large tech companies such as Google, Microsoft, Cisco, and Intel, now shows an increase in activity as it targets close to 5% of users in the UAE as compared to 2% in April 2021.
Taking first place in the index is Trickbot, which is a botnet and banking Trojan that can steal financial details, account credentials, and personally identifiable information, as well as spread within a network and drop ransomware, particularly Ryuk. It is constantly being updated with new capabilities, features and distribution vectors, which enables it to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns. Trickbot gained popularity after the takedown of the Emotet botnet in January, and made fresh headlines this week as the US Justice Department charged a Latvian woman for her role in creating and deploying the Trickbot malware.
Since the beginning of 2021, CPR has seen a significant increase in the volume of cyberattacks towards enterprises. When comparing to May 2020 CPR has seen an increase of 97% in the number of cyberattacks in the EMEA.
“Although there have been a lot of talks about the recent increase in ransomware attacks, we are actually seeing a huge surge in the number of cyberattacks in general. This trend is very extensive and concerning,” said Ram Narayanan, Country Manager, Check Point Software Technologies Middle East. “It’s reassuring to see that charges have been filed in the fight against Trickbot, this month’s most prevalent malware, but clearly there is still a long way to go. The fact that this trojan is incrementally affecting more and more organizations every month in the UAE shows how sophisticated and relentless cyber criminals are in developing their actions. Businesses need to be aware of the risks and ensure adequate solutions are in place, but also remember that attacks cannot only be detected, they can also be prevented, including zero-day attacks and unknown malware. With the right technologies in place, the majority of attacks, even the most advanced ones can be prevented without disrupting the normal business flow.”
CPR also revealed that “Web Server Exposed Git Repository Information Disclosure” is still the most common exploited vulnerability, affecting 48% of organizations globally, followed by “HTTP Headers Remote Code Execution (CVE-2020-13756)” which impacts 47.5% of organizations worldwide. “MVPower DVR Remote Code Execution” ranks in third place in the top exploited vulnerabilities list, with a global impact of 46%.
Top malware families
*The arrows relate to the change in rank compared to the previous month.
Trickbot upholds its position as the most popular malware in the UAE impacting 15% of the organizations, followed by FLoxif and xHelper which equally impact 5% of organizations each.
- Trickbot is a modular Botnet and Banking Trojan that targets the Windows platform, mostly delivered via spam campaigns or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules: from a VNC module for remote control, to an SMB module for spreading within a compromised network.
- Floxif is an info stealer and backdoor, designed for Windows OS. It was used in 2017 as part of a large scale campaign in which attackers inserted Floxif (and Nyetya) into the free version of CCleaner (a cleanup utility) thus targeting large tech companies and infecting more than 2 million users, amongst them large tech companies such as Google, Microsoft, Cisco, and Intel.
- A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application is capable of hiding itself from the user and reinstall itself in case it was uninstalled.
Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 3 billion websites and 600 million files daily, and identifies more than 250 million malware activities every day.
The complete list of the top 10 malware families in May can be found on the Check Point blog.