Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites.
These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to infiltrate websites by utilizing altered editions of authentic WordPress plugins, and tricking individuals into downloading a Remote Access Trojan.
FakeUpdates, also known as SocGholish, has been operational since at least 2017, and uses JavaScript malware to target websites, especially those with content management systems.
Often ranked the most prevalent malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malicious software and despite efforts to stop it, it remains a significant threat to website security and user data.
This sophisticated malware variant has previously been associated with the Russian cybercrime group known as Evil Corp. Due to its downloader functionality, it is believed that the group monetizes the malware by selling access to the systems that it infects, leading to other malware infections if the group provides access to multiple customers.
If cybercriminals choose to use them as a vehicle to covertly spread malware, that could impact future revenue generation and the reputation of an organization.
FakeUpdates was the most prevalent malware last month with an impact of 5% worldwide organizations, followed by Qbot with a global impact of 3%, and Formbook with a global impact of 2%. FakeUpdates - FakeUpdates is a downloader written in JavaScript.
FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
Qbot - Qbot AKA Qakbot is a multipurpose malware that first appeared in 2008.
It was designed to steal a user's credentials, record keystrokes, steal cookies from browsers, spy on banking activities, and deploy additional malware.
It is marketed as Malware as a Service in underground hacking forums for its strong evasion techniques and relatively low price.
This malware sends out system information about the targeted system to a remote server.
Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
This malware attempts to download and execute additional malicious files on target systems.
It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
WordPress portable-phpMyAdmin Plugin Authentication Bypass - An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin.
Last month Anubis remained in first place as the most prevalent Mobile malware, followed by AhMyth and Hydra.
Anubis - Anubis is a banking Trojan malware designed for Android mobile phones.
When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.
This Cyber News was published on blog.checkpoint.com. Publication date: Mon, 11 Mar 2024 15:43:07 +0000