* Banking Trojans and botnets, previously classified as two distinct types, are combined in a single category. As many banking Trojans received additional functionalities, making the differentiation between the two categories less distinct, we introduce the category “multipurpose malware” to include both genres.
The biggest change this year regarding cyberattack categories comes from ransomware. Each region is facing more of these types of attacks, with APAC leading the way (12% of organizations compared to 4% in H1 2021). It is no surprise really when we look at how ransomware actors have evolved this year, and unfortunately it looks set to get worse.
The map displays the cyber threat risk index globally, demonstrating the main risk areas around the world.*
Similar to what we saw in our 2021 top industry ranking, the first half of 2022 displays significant rises in attacks against all sectors alike. Education and Research still leads as the most targeted industry, with an average of 2,297 attacks against organizations every week, showing a 44% increase compared to 2021. In addition, Healthcare is still one of the most targeted sectors globally, with a 69% increase compared to 2021. This is the highest increase of all industries, going hand-in-hand with the multiple breaches of different ranges we observed against healthcare organizations during that period.
The proportion of email-delivered-attacks has gradually risen to reach a staggering record of 89% of all in-the-wild attacks. Email-delivered attacks typically include socially engineered content, intended to convince recipients to open an attachment, often a PDF or Office file (75% of attachments). Many mass distributed campaigns, with Emotet being the most extensive, use this tactic. However, as important as user awareness and email protection solutions are, it is not enough to ensure full protection. Data collected from the Check Point Incident Response Team (see the last chapter in this report) shows that from cases handled by our IR team, with a known entry point, only 17% of successful breaches originated from SMTP attack. This puts an extra emphasis on alternative attack vectors and the importance of rapid protection publication and vulnerability patching.
Data comparisons presented in the following sections of this report are based on data drawn from the Check Point ThreatCloud Cyber Threat Map between January and June 2022.
For each of the regions below, we present the most prevalent malware.
The Emotet botnet has re-claimed its rightful place at the top of the global top malware chart. In our last yearly report summarizing 2021, Emotet fell to 4th place in the chart, but still impacting approximately 5% of corporate networks worldwide. In the last couple of years, Emotet has been on quite a journey. In early 2021, the malware was taken down in a global operation involving multiple law enforcement agencies and national authorities, in which researchers gained control of its infrastructure. By the end of the year, however, Emotet was back in business. Within two months, the malware resumed operating at approximately 50% of its former attack volume, relying on Trickbot - yet another botnet superpower - as its dropper. Since the end of 2021 and well into 2022, Emotet has been continuously active, carrying out spam campaigns of all kinds. These include a campaign targeting IKEA employees using the thread hijacking technique which relies on legitimate internal corporate emails; a US phishing campaign impersonating the IRS during the 2022 tax season; a financial theft campaign aimed at collecting credit card information stored on Google Chrome; and many more. Emotet operators even managed to recover quickly from the launch a faulty campaign using a broken installer preventing victim infection. It is therefore not surprising that according to data collected by CPR, Emotet has impacted approximately 12% of all corporate networks globally.
In the first half of 2022, we saw the demise of a significant malware family - Trickbot. In our report, summarizing 2021, Trickbot claimed the first place in the global malware chart, with an impact of approximately 11% on all corporate networks. In February, the Banker-turned-Botnet’s operators shut down their attack infrastructure, following months of inactivity, with no new campaigns observed by CPR in early 2022 after its delivery of Emotet.
Finally, Dridex, another prominent botnet, left the top chart for the first time in years. The botnet was originally developed as a credential-stealing malware utilizing malicious macros.
Percentage of corporate networks attacked by each malware family
We combined banking Trojans and botnets, previously classified as two distinct types into a single category. As many banking Trojans received additional functionalities, which makes the differentiation between the two categories less distinct, we introduce the unified category, “multipurpose malware.”
In 2022, Glupteba is one of the most dominant multipurpose malware families in the wild, taking the 3rd place in the chart with involvement in approximately 5% of all corporate networks. This malware features a variety of capabilities including a rootkit, a router attack tool, a credential stealer, a crypto miner and more. However, Glupteba is best known for its unique use of the BitCoin blockchain technology as its C&C infrastructure to receive configuration information. Glupteba’s high activity rate in 2022 is curious since in December 2021, Google carried out a takedown operation to put a halt to its attack activities.
The operation involved both legal and technical steps. First, the company, in collaboration with industry partners, disrupted key C&C infrastructure to halt the communications between the botnet operators and its infected bots. Glupteba’s innovative C&C technology allows it to swiftly find an alternative C&C server by scanning the blockchain – composed of hundreds of thousands of servers daily taking part in BitCoin transactions – in case its current server is shut down. The technological complexity of the botnet’s communication method led Google to incorporate legal steps into the operation. The company took part in a civil lawsuit against the alleged operators of the blockchain-enabled botnet. Despite the large-scale operation, in March 2022 a new massive campaign involving Glupteba and Trickbot was observed by researchers. The campaign targeted MikroTik routers and was designed to form a botnet-as-a-service infrastructure.
Still topping the chart is Formbook, a commodity infostealing malware sold as-a-service on underground forums since 2016 and is designed to collect information via keylogging. In March, a malicious campaign involving Formbook was found to be targeting Ukrainians with spams, luring victims with fake funding approval letters from the government. Shortly afterwards in April, CPR detected a peak in Formbook’s activity.
The Snake Keylogger modular .NET keylogger/infostealer is a first-time entrant in our chart. Snake first surfaced around late 2020, and quickly grew in popularity among cyber criminals. Snake’s main functionalities include recording keystrokes, taking screenshots, harvesting credentials and clipboard content, in addition to supporting exfiltration of the stolen data by both HTTP and SMTP protocols. It is usually spread through emails that contain DOCX or XLSX attachments with malicious macros.
However, in May researchers reported that Snake Keylogger was spreading through PDF files. This could be due in part to Microsoft blocking by default internet macros in Office, compelling cybercriminals to explore new file types such as PDFs.
Finally, we note that the popular Raccoon stealer left the ranks. A report in March stated that a key member of the malware as-a-service operation was possibly affected by the conflict in Eastern Europe, and temporarily suspended all activities. Nevertheless, Raccoon resurfaced in June with the newly developed Raccoon Stealer V2 integrating improvements and new features.
The crypto market saw a drastic decrease of value in H1, losing nearly $2 Trillion, from a record $2.9T market cap in November 2021. Low crypto rates affect mining profitability and with it the motivation for cryptomining. This explains cryptominers’ visibility decreasing from 21% in 2021 to 15% globally in the first half of 2022. However, the hierarchy among the different types remained the same.
XMRig, a legitimate open-source mining tool that is used by attackers for malicious purposes, remains the most common tool for unauthorized mining. LemonDuck, a relatively new cryptomining malware which has no legitimate use, also has extensive malicious functionalities including credential stealing and lateral movement. As Lemonduck is equipped with the ability to drop additional tools for human-operated attacks, its detection should be treated seriously as a precursor for severe attacks.
AlienBot, a banking Trojan for Android sold underground as Malware-as-a-Service (MaaS), has taken over the top of the chart. This Trojan supports keylogging and dynamic overlays for credential theft, as well as SMS harvesting for Two-Factor Authentication (2FA) bypass. In addition, AlienBot could gain remote control capabilities by abusing legitimate TeamViewer modules.
FluBot, another Android banking malware, started to emerge in late 2020 spreading via “Smishing” (SMS Phishing). It uses SMS messages as the attack vector for malware distribution and sends the same SMS to all of the initial victim’s contacts, generating exponential spread. In January, the malware re-emerged in a new campaign leveraging Adobe Flash Players fake updates to steal banking credentials.
FluBot eventually gained a lot of attention, and in June, an international law enforcement operation involving 11 countries led to its infrastructure takedown, rendering the malware inactive.
Lastly, Cerberus, first seen in the wild in June 2019, is a Remote Access Trojan (RAT) with specific banking screen overlay functions for Android devices. Cerberus has been operating as Malware-as-a-Service (MaaS) and its features include SMS control, key-logging, audio recording, location tracking, and more. This well-known malware is so widespread partly due to the availability of its source code, which was leaked in a failed auction in 2020, offering threat actors the possibility to customize their own versions.