Check Point has released its Global Threat Index report for January 2023, which shows AgentTesla returning to the third spot (from the ninth in December 2022) in the January 2023 Most Wanted Malware list. The Lokibot infostealer has also grown substantially, from not being in the top 10 list to second place.
Further, the infostealer Vidar has returned to the top 10 list after an increase in instances of "brandjacking," and was observed spreading through fake domains claiming to be associated with remote desktop software company AnyDesk.
“The malware used URL jacking for various popular applications to redirect people to a single IP address claiming to be the official AnyDesk website. Once downloaded, the malware masqueraded as a legitimate installer to steal sensitive information,” Check Point wrote.
The latest version of the company’s global threat index also identified a major campaign dubbed "Earth Bogle" that relied on the njRAT malware and targeted entities across North Africa and the Middle East.
“The attackers used phishing emails containing geopolitical themes, enticing users to open malicious attachments,” reads the report. “Once downloaded and opened, the Trojan can infect devices, allowing attackers to conduct numerous intrusive activities to steal sensitive information.”
Qbot remained the most wanted malware in January 2023, and the industries targeted more consistently by threat actors (education/research, government/military and healthcare) remained the same compared to December 2022.
The web server flaw that exposed GitHub repository information in October was at the top of the most exploited vulnerabilities in January, followed by HTTP headers remote code execution (RCE) flaws and the MVPower DVR RCE bug.
“Once again, we’re seeing malware groups use trusted brands to spread viruses, with the aim of stealing personal identifiable information. I cannot stress enough how important it is that people pay attention to the links they are clicking on to ensure they are legitimate URLs,” commented Maya Horowitz, VP of research at Check Point Software.
“Look out for the security padlock, which indicates an up-to-date SSL certificate, and watch for any hidden typos that might suggest the website is malicious.”
Case in point, a malicious package using typosquatting techniques was recently discovered by ReversingLabs on the open-source JavaScript npm repository.