FormBook was the malware most used in online criminal activity last month, according to new research, knocking Emotet off top spot for the first time in nine months. The info-stealing software is available off the shelf for cybercriminals of any level as malware-as-a-service, and is known for its strong evasion techniques and relatively low price.
The malware targets Windows machines and, once deployed, “can harvest credentials, collect screenshots, monitor and log keystrokes as well as download and execute files according to its command and control (C&C) orders,” according to research from security vendor Check Point. FormBook has been growing in popularity since 2016.
Other prevalent malware popular on dark web forums includes GuLoader, which has seen a sharp rise in activity propelling it into the fourth most widespread over August, according to Check Point. Initially only used to download one remote access trojan (RAT), it is now used in conjunction with infostealers like FormBook, Netwire, and Agent Tesla.
Agent Tesla was the most commonly used in cyberattacks on UK targets last month, the research says. Similar to FormBook in that it steals and transmits credentials, keyboard input and screenshots from a variety of apps installed on a victim’s machine, including the Google Chrome and Mozilla Firefox browsers and the Microsoft Outlook email client.
These malware strains are used to attack companies primarily in the sectors of education and research, government and military and healthcare, utilising widespread vulnerabilities like Log4J as their point of entry. “Apache Log4J remote code execution returns to first place as the most exploited vulnerability,” says the Check Point report. Log4J was used in 44% of attacks on organisations worldwide in August.
Use of mobile malware on the rise
In addition to remote access trojans and infostealers, the use of mobile malware is also growing, says Check Point. This month a mobile malware called AlienBot was most popular among online criminals, followed by Anubis and Joker.
AlienBot is a banking Trojan for Google’s Android operating system. Sold as malware-as-a-Service, it has many of the same capabilities as RATs, such as credential stealing and keystroke logging. However, since it was detected it has also developed audio recording and SMS harvesting capabilities.
Joker also has SMS harvesting capabilities. This malware can sign the victim up for paid premium services without the victim’s knowledge and is a signifier of how rapidly the malware landscape is changing, says Maya Horowitz, VP research at Check Point.
“The shifts that we see in this month’s index, from Emotet dropping from first to fifth place to Joker becoming the third most prevalent mobile malware, is reflective of how fast the threat landscape can change,” she says
Horowitz adds that this should act as a reminder to individuals and companies alike “of the importance of keeping up to date with the most recent threats as knowing how to protect yourself.”
She says: “Threat actors are constantly evolving and the emergence of FormBook shows that we can never be complacent about security and must adopt a holistic, prevent-first approach across networks, endpoints and the cloud.”
Tech Monitor is hosting the Tech Leaders Club on 15 September. Find out more on NSMG.live