CYBER ATTACK CATEGORIES BY REGION

Overall, we are seeing the same malware families in our top global botnet charts as 2020, with minor changes to the prevalence of each family. Dridex, for example, went down from second to fourth place whereas Trickbot rose to first place.

Emotet, one of the most infamous malware groups, has been operating inintervals since 2014, first as a banking trojan and then later as a botnet. It now appears in the number three spot on the top botnet chart. Emotet was wide-spread before its takedown in January 2021, affecting more than 1.5 million machines globally with damages estimated at around $2.5 billion. It is notorious for spreading other malware families including Trickbot, Qbot and more.
The Botnet marketplace this year was drastically affected by Emotet’s downfall. Emotet is one of the largest PC botnet operations and its absence left a vacuum filled by Trickbot, IcedID, and more recently Phorpiex. On November 15, just 10 months after its takedown, machines infected with Trickbot started to drop Emotet samples. Computers were increasingly compromised by a large malspam campaign which leveraged malicious documents containing the Emotet payload.

We note that both our H1 2021 and global 2021 charts showed Emotet in the top three places, despite nine months of no activity - a tribute to its unequaled power.

The infostealer landscape is still dominated by several stealthy malware families. AgentTesla, a prominent commodity infostealer first discovered in 2014, showed a significant decrease in prominence compared to 2020, with a drop of 50%. LokiBot, a commodity infostealer that emerged in 2016, experienced a similar decrease.

Topping the chart is Formbook, a commodity info stealing malware sold as-a-service on underground forums since 2016. The malware is designed to collect information via keylogging. In mid-2021, a new Formbook variant was detected in the wild. The variant was distributed in a phishing campaign leveraging PowerPoint documents as email attachments for malware delivery.
Another malware-as-a-service that entered our top malware statistics for the first time is Raccoon. This infostealer, sold on the Dark Web for at least two years, offers a well-maintained platform for its affiliates that features rapid bug fixes and automated updates to its payload, as well as malware installed on victim machines.

Raccoon’s recent updates include the ability to steal cryptocurrency, drop further malware, and spread via Google SEO instead of phishing emails. The current campaign attempts to lure its victims by offering cracked software licenses.

XMRig, a legitimate Monero mining tool that was leveraged by threat actors for malicious purposes, not only continues to top the Crypto Miner chart, but also rose in popularity by over 25% compared to 2020. Two malware families entered the cryptominer chart for the first time this year: LemonDuck, which is already second to XMRig, and Cryptobot.

LemonDuck, which showed an over 50% growth in attack rate compared to the mid-year statistics, is a self-propagating cryptomining botnet that features credential theft, detection evasion and lateral movement capabilities. LemonDuck also functions as a malware downloader, and is often observed dropping the Ramnit Trojan.
CryptoBot ryptobot is an advanced crypto miner that collects the victim’s wallet and account information upon infection. In December Cryptobot was observed in a campaign that targets users with a pirated copy of the Windows operating system. The campaign leverages a designated activation tool called KMSPico that tricks Windows Key Management Services (KMS) into authenticating a pirated copy of Windows as legitimate. When a user downloads a compromised version of the tool, Cryptobot is silently installed using background processes. Similar to LemonDuck, Cyptobot was previously detected utilizing the EternalBlue exploit as part of its infection chain.

The banking malware landscape continues to be dominated by a collection of stealthy, adaptive malware families over the past few years. Trickbot climbed from second place to the top of the global ranks, while Dridex fell from first place to third, and is down by almost 60% compared to 2020.

Qbot is an ever-evolving banking malware initially designed to collect banking credentials and keystrokes. It features worm capabilities but also functions as a botnet, often used by ransomware campaigns to drop malware on infected devices. In September, Qbot resumed its operations following a three-month break, executing a large-scale spam campaign that leveraged the malware as a botnet and infostealer and distributed the ‘SquirrelWaffle’ malware loader. The recent campaign relied on Visual Basic and Excel 4.0 macros. In November, the monetization stage of the campaign was observed, as the malware dropper began installing the Conti Ransomware.

Dridex, yet another banking malware that now features infostealer and botnet capabilities, showed a significant decrease this year. However, in September researchers detected a new Dridex variant, with extended information collection capabilities, spreading in a phishing campaign that features specially crafted Excel documents. In addition, in December, Dridex was among the first malware to be distributed in a campaign that exploits the Log4j vulnerability for infection.

Hiddad, an Android malware designed to display ads, previously leveraged the Covid-19 theme and maintained its place at the top of the ranks, together with xHelper, whose share of the malware pie decreased by 25% compared to 2020. This year, two other malware families made it to the chart for the first time, joined by two brand new malware families: AlienBot and FluBot.

AlienBot is an Android banking malware distributed by threat actors as Malwareas-as-a-Service. The malware enables an attacker to remotely inject arbitrary code into legitimate financial applications, thus gain access to the victims' financial accounts and eventually completely control their device. In March, Check Point Research detected a new dropper called ‘Clast82’ distributed via the Google Play Store that installs AlienBot on victims’ machines. The dropper utilizes a number of techniques to avoid detection by Google Play Protect. For example, non-malicious payload is dropped during the evaluation period, and after it passes, the payload is changed to AlienBot.

FluBot, another Android banking malware, emerged in late 2020, targeting European users and spreading via SMS messages sent from infected devices. FluBot campaigns rely on creative themes; a campaign that targeted Finnish users in June and November leveraged a voicemail theme, asking its victims from a mobile carrier’s link to listen to messages. Ironically, a campaign aimed at New Zealand users features a fake security update warning the victims of FluBot infections.