July 2021’s Most Wanted Malware: Snake Keylogger Enters Top 10 for First Time

Check Point Research reports that Trickbot is the most prevalent malware for the third month running, while Snake Keylogger enters the index for the first time taking second place

SAN CARLOS, Calif., Aug. 12, 2021 (GLOBE NEWSWIRE) — Check Point Research (CPR), the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has published its latest Global Threat Index for July 2021. Researchers report that while Trickbot is still the most prevalent malware, Snake Keylogger, which was first detected in November 2020, has surged into second place following an intense phishing campaign.

Snake Keylogger is a modular .NET keylogger and credential stealer. Its primary function is to record users’ keystrokes on computers or mobile devices, and transmit the collected data to threat actors. In recent weeks, Snake has been growing fast via phishing emails with different themes across all countries and business sectors.

Snake infections pose a major threat to users’ privacy and online safety, as the malware can steal virtually all kinds of sensitive information, and it is a particularly evasive and persistent keylogger. There are currently underground hacking forums where the Snake Keylogger is available for purchase, ranging from 25 to 500 dollars, depending on the level of service offered.

Keylogger attacks can be particularly dangerous because individuals tend to use the same password and username for different accounts, and once one log in credential is breached, the cybercriminal gains access to all those that have the same password. To stop them, it is essential to use a unique option for each of the different profiles. To do this, a password manager can be used, which allows both managing and generating different robust access combinations for each service based on the guidelines decided upon.

“Where possible, users should reduce the reliance on passwords alone, for example by implementing Multi-Factor Authentication (MFA) or Single-Sign on (SSO) technologies,” said Maya Horowitz, VP Research at Check Point Software. “Also, when it comes to password policies, choosing a strong, unique password for each service is the best advice, then even if the bad guys do get hold of one of your passwords, it won’t immediately grant them access to multiple sites and services. Keyloggers such as Snake, are often distributed via phishing emails so it’s essential that users know to look out for small discrepancies such as misspellings in links and email addresses, and be educated to never click on suspicious links or open any unfamiliar attachments.”

CPR also revealed this month that “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 44% of organizations worldwide. “MVPower DVR Remote Code Execution” takes third place in the top exploited vulnerabilities list, with a global impact of 42%.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month, Trickbot is the most popular malware impacting 4% of organizations globally, followed by Snake Keylogger and XMRig, each with a global impact of 3%.

1. ↔ Trickbot – Trickbot is a modular Botnet and Banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns.
2. ↑ Snake Keylogger – Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; its primary functionality is to record users’ keystrokes and transmit collected data to threat actors.
3. ↓ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.

Top exploited vulnerabilities

This month “Web Server Exposed Git Repository Information Disclosure” is the most commonly exploited vulnerability, impacting 45% of organizations globally, followed by “HTTP Headers Remote Code Execution” which affects 44% of organizations worldwide. “MVPower DVR Remote Code Execution” is in third place in the top exploited vulnerabilities list, with a global impact of 42%.

1. ↑ Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
2. ↓ HTTP Headers Remote Code Execution (CVE-2020-10826,CVE-2020-10827,CVE-2020-10828,CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
3. ↓ MVPower DVR Remote Code Execution – A remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.

Top Mobile Malwares

This month xHelper takes first place in the most prevalent Mobile malwares, followed by AlienBot and Hiddad.

1. xHelper – A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and can even reinstall itself in the event that it was uninstalled.
2. AlienBot – AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims’ accounts, and eventually completely controls their device.
3. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.

Check Point’s Global Threat Impact Index and its ThreatCloud Map is powered by Check Point’s ThreatCloud intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors. The ThreatCloud database inspects over 3 billion websites and 600 million files daily, and identifies more than 250 million malware activities every day.

The complete list of the top 10 malware families in July can be found on the Check Point blog.

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch/

About Check Point Research
Check Point Research (CPR) provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point solutions are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd. 
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to corporate enterprises and governments globally.  Check Point Infinity´s portfolio of solutions protects enterprises and public organisations from 5^th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other threats. Infinity comprises three core pillars delivering uncompromised security and generation V threat prevention across enterprise environments: Check Point Harmony, for remote users; Check Point CloudGuard, to automatically secure clouds; and Check Point Quantum, to protect network perimeters and datacenters, all controlled by the industry’s most comprehensive, intuitive unified security management. Check Point protects over 100,000 organizations of all sizes.