Malware September 2024: Formbook on Windows devices

[German]Brief addendum on the subject of security and malware risks. I have had the malware report for September 2024 from security provider Check Point since mid-October 2024. Windows systems in Germany were probably particularly affected by the Formbook malware. The infostealer replaced CloudEye as the most active malware in this country and accounted for a full 21 percent of all infections. In addition, the transportation sector was again increasingly targeted by hackers. Here is a brief overview.

Check Point® Software Technologies Ltd, a cloud-based cybersecurity provider, has released its September 2024 Global Threat Index from Check Point Research. The new report shows a trend towards AI-driven malware and demonstrates the continued dominance of the ransomware threat.

Formbook in the raise

In Germany, the malware CloudEye (Infostealer), which was still dominant in August 2024, no longer played a role in September and was replaced by Formbook. This malware again accounted for 21% of all malware infections.
Androxgh0st (4.6%) and FakeUpdates (3.3%) were in second and third place. In addition, the transportation sector in this country has once again become the target of cyber attacks. For the first time in a long time, the healthcare system is no longer among the three most affected sectors.

AI support in AsyncRAT malware development

Last month, security researchers discovered that hackers were allegedly using AI to develop a script that spreads AsyncRAT malware. The malware now ranks 10th on the global top malware list.

The methods used by the malware included HTML smuggling, where a password-protected ZIP file containing malicious VBScript code was sent to trigger an infection chain on the victim's device. The well-structured and commented code indicated the involvement of AI.

Once fully executed, AsyncRAT is installed, enabling the attacker to record keystrokes, remotely control the infected device and install additional malware. This discovery highlights the growing trend of cyber criminals with limited technical skills using artificial intelligence to create malware more easily.
Commenting on the trends, Maya Horowitz, VP of Research at Check Point Software Technologies, said: "The fact that hackers have started to use generative AI as part of their attack infrastructure highlights the ongoing evolution of tactics in cyber attacks. Hackers are increasingly using all available technologies to optimize their operations, making it imperative for organizations to implement preventative security strategies, including advanced prevention methods and comprehensive training for their teams."

Top malware in Germany

*The arrows refer to the change in ranking compared to the previous month.

• ↑ Formbook (21,2 %) – FormBook iis an infostealer that targets the Windows operating system and was first discovered in 2016. It is marketed in underground hacker forums as Malware as a Service (MaaS), as it has strong obfuscation techniques and is relatively cheap. FormBook collects login credentials from various web browsers, takes screenshots, monitors and logs keystrokes, and can download and execute files according to the instructions of its C&C.
• ↔ Androxgh0st (4,6 %) – Androxgh0st is a botnet that targets Windows, Mac and Linux platforms. For infiltration, Androxgh0st exploits several vulnerabilities, particularly in PHPUnit, Laravel Framework and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS keys and the like. It uses Laravel files to collect the required information. There are different variants that look for different information.
• ↔ FakeUpdates (3,3 %) – Fakeupdates (alias SocGholish)
• is a downloader written in JavaScript. It writes payloads to the hard disk before launching them. FakeUpdates led to further system compromise by many additional malicious programs, including GootLoader, Dridex, NetSupport, DoppelPaymer and AZORult

Top mobile malware

In the month of September 2024, Joker ranked first among the most widespread mobile malware, followed by Anubis and Hiddad.

• ↔ Joker – An Android spyware in Google Play that steals SMS messages, contact lists and device information. In addition, the malware silently signs the victim up for premium services on advertising websites.
• ↔ Anubis – Anubis is a banking Trojan malware designed for Android cell phones. Since its discovery, it has gained additional features including Remote Access Trojan (RAT) functionality, a keylogger, audio recording capabilities and various ransomware features. It has been detected in hundreds of different applications available in the Google Store.
• ↑ Hiddad – Hiddad is an Android malware that repackages legitimate apps and then publishes them in a third-party store. Its main function is to display advertisements, but it can also gain access to important security details built into the operating system.

Most active ransomware groups

The data is based on findings from ransomware "shame sites" operated by ransomware-using extortion groups, where information about victims is published. RansomHub is the most prevalent ransomware group this month, responsible for 17 percent of published attacks, followed by Play with 10 percent and Qilin with 5 percent.

• RansomHub – A ransomware-as-a-service (RaaS) group that originated as a rebranded version of the previously known Knight ransomware. RansomHub emerged on underground cybercrime forums in early 2024 and quickly gained notoriety for its aggressive campaigns targeting various systems, including Windows, macOS, Linux and especially VMware ESXi environments. This malware is known to use sophisticated encryption methods.
• Play Ransomware – also known as PlayCrypt, is a ransomware that first appeared in June 2022. This ransomware has targeted a wide range of organizations and critical infrastructure in North America, South America and Europe, affecting approximately 300 facilities by October 2023. Play ransomware typically gains access to networks via compromised valid accounts or by exploiting unpatched vulnerabilities, such as in Fortinet SSL VPNs. Once inside the system, they use techniques such as living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
• Qilin – also known as Agenda, is a criminal ransomware-as-a-service operation that works with partners to encrypt and exfiltrate data from compromised organizations and then demand a ransom. This ransomware variant was first discovered in July 2022 and is developed in Golang. Agenda is known to target large companies and high-value organizations, with a focus on the healthcare and education sectors. Qilin usually infiltrates its victims via phishing e-mails.