* Banking Trojans and botnets, previously classified as two distinct types, are combined in a single category. As many banking Trojans received additional functionalities, making the differentiation between the two categories less distinct, we introduce the category “multipurpose malware” to include both genres.
The map displays the cyber threat risk index globally, demonstrating the main risk areas around the world.*
Data collected in 2022 shows a continued rise in attacks against all industries. Most targeted are the educational and research institutions, with an average of 2,314 attacks per week per organization, an increase of more than 40% from 2021. Attacks on the healthcare sector registered the highest surge, 74% more attacks than last year, placing it as the third most targeted industry in this index. From hospitals and clinics to research facilities, attackers have been focusing on the healthcare industry since the beginning of the COVID-19 pandemic, seeking financial gain. 89% of healthcare organizations reported cyberattacks within the last year with an average total cost reaching $4.4M. Reported attacks included the CommonSpirit Health, the second largest non-profit hospital chain in the US. CommonSpirit, which operates 140 hospitals, has reported data of more than 600K patients stolen, the attack resulting in medical damage to patients. Hospitals in New York were hit by ransomware in November leaving medical systems down for weeks after the attack. An attack on the Dallas-based Tenet health care cooperation, operating hundreds of medical sites, caused disruption to acute care operations. Among ransomware groups reported to target healthcare organizations are Lockbit, BlackCat, Cuba, Zeppelin and more.
The proportion of email-delivered-attacks has increased, reaching a staggering record of 86% of all file based in-the-wild attacks. Data shows an increase in the utilization of various types of archive file formats, as threat-actors attempt to conceal malicious payloads. Included in password protected archives, the functionality of malware is hidden until they are extracted, making their identification as malicious by security products especially challenging. Zip files are the most commonly used format for this purpose, while in the top malicious archives types we observe also .img and .iso files, since their extraction functionality is integrated in Windows or with very popular tools. Archive files are often used to bypass the mark-of-the-web based protection mechanism.
Data comparisons presented in the following sections of this report are based on data drawn from the Check Point ThreatCloud Cyber Threat Map between January and December 2022.
For each of the regions below, we present the percentage of corporate networks impacted by each malware family, for the most prevalent malware in 2022.
Rising back from its fourth place in Check Point’s 2021 most prevalent malware list, Emotet has regained its position at the top of 2022 table, affecting 10% of all corporate networks. Initially discovered in 2014 as a banking Trojan, Emotet has developed into a significant multipurpose malware, serving as an initial access malware and used by sophisticated Eastern European cyber criminals. Identified as one of the major cyber threats, Emotet was taken down in January 2021, on a global law enforcement operation, only to resurge by the end of that year. On its return Emotet was distributed with Trickbot’s assistance and later deployed large scale spam campaigns with malicious Office documents. Relying heavily on Office macros’ exploitations, Microsoft’s intension to disable VBA macros in documents obtained from the internet was expected to affect Emotet’s distribution. Emotet’s operators prepared for the change, experimenting with alternative file types including .lnk, .xll zip and .iso files. In November, Emotet returned from one of its routine breaks, and went back to its previous weapon of choice – Excel files with malicious macros. To bypass the Mark-of-the-Web limitations, the attached maldocs displayed detailed instructions directing users to copy the files into the trusted “Templates” folder. Emotet continues to use email threads hijacking technique and customizes email content according to the targeted country. Emotet was observed deploying other malware families like IcedID and XMRig on victim system. Other Emotet campaigns in 2022 include a campaign targeting IKEA employees; a US phishing campaign impersonating the IRS during the 2022 tax season and many more. Infostealers occupied a central place in this year’s table, with four of the most commonly used stealers, AgentTesla, Formbook, SnakeKeylogger and LokiBot occupying the top six places in our top malware list.
The popularity of infostealers is connected to the growing market for stolen credentials and their availability to threat actors for relatively low prices. One of the emerging techniques of cyber cybercriminals is using infostealers for widely spread infections that are not specifically focused on corporate networks. After the initial infection, cybercriminals mine the data to identify corporate VPN credentials, which will allow them to get an initial access to corporate networks.
As in our last midyear report, two malware categories, banking Trojans and botnets, which were previously classified as distinct types, have been merged. As many banking Trojans received additional functionalities, that make the differentiation between the two categories less distinct, we introduce the unified category, “multipurpose malware”. Comparisons in this category therefore relate to the last midyear report rather than to older annual data.
Emotet and Qbot have increased their relative activity and now comprise of more than 60% of infection attempts in this category. Raspberry Robin is a new entrant to the multipurpose list. First detected in September 2021 using infected USB devices and wormable capabilities to spread, Raspberry Robin has become one of the largest active malware distribution platforms within a year. It was reported to deploy various other malware families, including IcedID, Bumblebee and ransomware brands like Clop and LockBit. With possible relations to Evil Corp this malware constitutes a serious new threat.
The Phorpiex botnet, which has been known for distributing other malware families via spam campaigns, as well as for fueling large-scale spam, sextortion campaigns and ransomware spread, started 2022 with crypto-transaction hijacking and continues its expansion, occupying the fourth place in the multipurpose table.
Glupteba has fully returned from the 2021 takedown operation carried out by Google. This malware features a variety of capabilities including a credential stealer, crypto miner, router exploiter and more. However, Glupteba is best known for its use of the bitcoin blockchain technology as its C&C infrastructure to receive configuration information. Glupteba’s use of bitcoin records improves its resilience against takedowns, since the blockchain transactions cannot be deleted, however they remain exposed for public inspection. Tracking Glupteba’s activity through the blockchain has exposed a large ongoing campaign which started in June 2022.
The growing market for stolen credentials and cookies, which are later used in the evolving life cycle of access-brokers, ransomware affiliates and RaaS suppliers, has contributed to the growing popularity of infostealers. Check Point data reveals a steady increase in infostealers use, affecting 18% of corporate networks in 2020, 21% in 2021 and reaching as much as 24% of all organizations in 2022. Infostealers are sold on underground forums for a monthly subscription fee that ranges between $60 to $1,000, to threat actors of varying levels of technical knowledge. This market, which was previously divided between multiple smaller malware families, has consolidated and this year three brands, AgentTesla, Formbook and SnakeKeylogger are responsible for 71% of Check Point monitored infostealers attacks.
Formbook, detected in 20% of infostealer cases is a commodity malware sold as-a-service on underground forums since 2016. It is designed to collect keystrokes, search and access files, take screenshots, harvest browser credentials and download and deploy additional payloads. It has been used by multiple actors, often distributed using email attachments including pdf, doc, RTF document, exe, zip, rar etc. Formbook has been deployed this year targeting Ukraine and in numerous other campaigns.
The SnakeKeylogger modular .NET infostealer has tripled its rank compared to our 2021 top malware statistics. Snake first surfaced around late 2020, and quickly grew in popularity among cyber criminals. Snake’s main functionalities include recording keystrokes, taking screenshots, harvesting credentials and clipboard content, in addition to supporting exfiltration of the stolen data by both HTTP and SMTP protocols. In August, researchers observed SnakeKeylogger in malspam campaign spreading via phishing emails to target IT firms located in the US.
The crypto market cap has fallen dramatically in 2022, losing nearly $2 Trillion, from a record $2.9T in November 2021. Low crypto rates combined with increased mining costs affect mining profitability and with it the motivation for cryptomining. This explains cryptominers’ visibility decreasing from 21% in 2021 to 16% globally in 2022. This decline has left XMRig, a legitimate open-source mining tool, as the most dominant tool used by attackers for malicious purposes. XMRig has been used in 76% of cryptomining attacks in 2022 and as reported in the CPIRT chapter often marks a breach which could later lead to the deployment of other malware.
LemonDuck, a relatively new cryptomining malware has no legitimate use, and since its initial detection in 2019 added extensive malicious functionalities including credential stealing and lateral movement. As Lemonduck is equipped with the ability to drop additional tools for human-operated attacks, its detection should be treated seriously as a possible precursor for severe attacks.
Joker, an Android mobile malware, is a stealer capable of accessing SMS messages, contact lists and device information but mostly generates income through unauthorized subscriptions to paid premium services. Joker uses its access to SMS messages to authenticate requests and authorize payments. Joker (aka Bread) was first identified in 2017 concealed in more than 1,700 benign looking applications offered on Google Play Store. The malware has resurged this year, hiding in at least 8 applications on Google Store with more than 3 million downloads in 2022, climbing to the top of Check Point’s global mobile malware list.
Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected in 2017, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogging, and audio recording capabilities. It has been detected on hundreds of different applications available in the Google Store reaching Check Points top mobile malware list earlier this year.