SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Trickbot takes top malware spot in Australia, Emotet returns
Fri, 14th Jan 2022
FYI, this story is more than a year old

Trickbot and Emotet have topped the list of the most prevalent malware in Australia, according to new analysis from Check Point Research (CPR).

The research firm has published its latest Global Threat Index for December 2021, identifying the top 10 malware affecting Australians in December 2021. Australian cyber incidents involving Trickbot decreased from 4.75% to 2.42%; however, Emotet, while remaining in second place, has increased to 2.08% from 1.99% in December.

Following CPR's insights warning of the return of Emotet via Trickbot in November, it is no surprise that both malware remain in the top two positions of the December malware list impacting Australians. On a global scale, Trickbot is the most popular malware impacting 4% of organisations worldwide, followed by Emotet and Formbook with a worldwide impact of 3%.

Top 10 Malware impacting Australians for December:

Trickbot, 2.42% of Australian cyber incident cases impacted: Trickbot is a modular Botnet and Banking Trojan that targets the Windows platform, primarily delivered via spam campaigns or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules: from a VNC module for remote control to an SMB module for spreading within a compromised network. Once a machine is infected, the Trickbot gang, the threat actors behind this malware, utilise this wide array of modules to steal banking credentials from the target PC and for lateral movement and reconnaissance on the targeted organisation itself prior to delivering a company-wide targeted ransomware attack.

Emotet, 2.08%: Emotet is an advanced, self-propagating and modular Trojan that was once used as a banking Trojan and currently distributes other malware or malicious campaigns. Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection and can be spread via phishing spam emails containing malicious attachments or links.

Formbook, 1.96%: First detected in 2016, FormBook is an InfoStealer targeting Windows OS. It is marketed as MaaS in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C-C.

Dridex, 1.62%: Dridex is a Banking Trojan that targets the Windows platform, observed delivered by spam campaigns and Exploit Kits, which relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server that sends information about the infected system and can also download and execute additional modules for remote control.

DarkSide, 1.15%: DarkSide works in a Ransomware-as-a-Service (RaaS) model, where it leverages a partner program to execute its cyberattacks. DarkSide is part of a trend of ransomware attacks that involve systems rarely seen by the cyber community, like ESXi servers. The ransomware is known to have been deployed in numerous targeted ransomware attacks, including the Colonial Pipeline network and other oil and gas companies such as Forbes Energy Services and Gyrodata.

Maze, 0.81%: Maze is ransomware discovered in mid-2019 and was the first ransomware to practice the double extortion strategy. Maze operators opened a dedicated webpage where, in addition to encrypting victims' data, they started publishing stolen sensitive data from victims who refused to pay the ransom. Many other threat groups followed this strategy.

Ramnit, 0.81%: Ramnit is a banking Trojan that incorporates lateral movement capabilities. Ramnit steals web session information, enabling the worm operators to steal account credentials for all services used by the victim, including bank accounts, corporate and social networks accounts.

FluBot, 0.69%: FluBot is an Android malware distributed via phishing SMS messages, often impersonating logistics delivery brands. Once the user clicks the link inside the message, FluBot is installed and can access all sensitive information on the phone.

Remcos, 0.69%: Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.

Glupteba, 0.58%: Known since 2011, Glupteba is a backdoor that gradually matured into a botnet. By 2019 it included a C-C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.

Malware families Mirai and Yakes were tied in tenth place, each malware impacting 0.58% of Australian cyber incident cases in December.