November 2024’s Most Wanted Malware: Androxgh0st Leads the Pack, Targeting IoT Devices and Critical Infrastructure
Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a pioneer and global leader of cyber security solutions, has released its “, emphasizing the growing sophistication of cyber criminals. The report highlights the swift ascent of Androxgh0st, now integrated with the Mozi botnet, as it continues to target critical infrastructure worldwide.
Critical infrastructure—spanning energy grids, transportation systems, healthcare networks, and more—remains a prime target for cybercriminals due to its indispensable role in daily life and its vulnerabilities. Disrupting these systems can lead to widespread chaos, financial losses, and even threats to public safety.
African countries continue to be among those most targeted by malware attacks. Of the top 20 countries attacked in November, seven are on the continent. Ethiopia is the most attacked country of the 107 surveyed, while Zimbabwe ranked 4th with a 82,8% Normalised Risk Index, Uganda 9th and Angola 10th, with a Normalised Risk Index of 67,8- and 67,5% respectively, Ghana 13th with a Normalised Risk Index of 62%, Mozambique 17th with a Normalised Risk Index of 58,3%, Nigeria 19th and Kenya 20th, with a Normalised Risk Index of 56,9- and 55,8% respectively. South Africa moved down the rankings to be positioned at 67th with a Normalised Risk Index of 39,1%.
“Researchers have discovered that Androxgh0st, now at the top of the malware rankings, is exploiting vulnerabilities across multiple platforms, including IoT devices and web servers, key components of critical infrastructure. By adopting tactics from Mozi, it targets systems using remote code execution and credential-stealing methods to maintain persistent access enabling malicious activities like DDoS attacks and data theft. The botnet infiltrates critical infrastructures through unpatched vulnerabilities, and the integration of Mozi’s capabilities has significantly expanded Androxgh0st’s reach, allowing it to infect more IoT devices and control a broader range of targets. These attacks create cascading effects across industries, highlighting the high stakes for governments, businesses, and individuals reliant on these infrastructures,” says
Among the top mobile malware threats, Joker remains the most prevalent, followed by Anubis and Necro. Joker continues to steal SMS messages, contacts, and device information while silently subscribing victims to premium services. Meanwhile, Anubis, a banking Trojan, has gained new features, including remote access, keylogging, and ransomware functionality.
Maya Horowitz, VP of Research at Check Point Software, commented on the evolving threat landscape, stating, “The rise of Androxgh0st and the integration of Mozi illustrates how cyber criminals are constantly evolving their tactics. Organisations must adapt quickly and implement robust security measures that can identify and neutralize these advanced threats before they can cause significant damage.”
Top malware families
*The arrows relate to the change in rank compared to the previous month.
Androxgh0st is the most prevalent malware this month with an impact of 5% worldwide organizations, closely followed by FakeUpdates with an impact of 5%, and AgentTesla with 3%.
- ? Androxgh0st – Androxgh0st is a botnet that targets Windows, Mac, and Linux platforms. For initial infection, Androxgh0st exploits multiple vulnerabilities, specifically targeting- the PHPUnit, Laravel Framework, and Apache Web Server. The malware steals sensitive information such as Twilio account information, SMTP credentials, AWS key, etc. It uses Laravel files to collect the required information. It has different variants which scan for different information.
- ? FakeUpdates – FakeUpdates (AKA SocGholish) is a downloader written in JavaScript. It writes the payloads to disk prior to launching them. FakeUpdates led to further compromise via many additional malware, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult.
- ? AgentTesla – AgentTesla is an advanced RAT functioning as a keylogger and information stealer, which is capable of monitoring and collecting the victim’s keyboard input, system keyboard, taking screenshots, and exfiltrating credentials to a variety of software installed on a victim’s machine (including Google Chrome, Mozilla Firefox and the Microsoft Outlook email client).
- ? Formbook – Formbook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
- ? Remcos – Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.
- ? AsyncRat – Asyncrat is a Trojan that targets the Windows platform. This malware sends out system information about the targeted system to a remote server. It receives commands from the server to download and execute plugins, kill processes, uninstall/update itself, and capture screenshots of the infected system.
- ? NJRat – NJRat is a remote accesses Trojan, targeting mainly government agencies and organizations in the Middle East. The Trojan has first emerged on 2012 and has multiple capabilities: capturing keystrokes, accessing the victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop. NJRat infects victims via phishing attacks and drive-by downloads, and propagates through infected USB keys or networked drives, with the support of Command & Control server software.
- ? Phorpiex – Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
- ? Cloud Eye – CloudEye is a downloader that targets the Windows platform and is used to download and install malicious programs on victims’ computers.
- ? Rilide – A malicious browser extension that targets Chromium-based browsers, mimicking legitimate software to infiltrate systems. It exploits browser functionalities to execute harmful activities like monitoring web browsing, capturing screenshots, and injecting scripts to steal cryptocurrency. Rilide operates by downloading other malware, recording user activities, and can even manipulate web content to deceive users into unauthorized actions.
Top exploited vulnerabilities
- ? Command Injection Over HTTP (CVE-2021-43936, CVE-2022-24086) – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
- ? Web Server Exposed Git Repository Information Disclosure – An information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
- ? ZMap Security Scanner (CVE-2024-3378) – ZMap is a vulnerability scanning product. Remote attackers can use ZMap to detect vulnerabilities on a target server.
Top Mobile Malwares
This month Joker in the 1st place in the most prevalent Mobile malware, followed by Anubis and Necro.
- ? Joker – An android Spyware in Google Play, designed to steal SMS messages, contact lists and device information. Furthermore, the malware signs the victim silently for premium services in advertisement websites.
- ? Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
- ? Necro – Necro is an Android Trojan Dropper. It is capable of downloading other malware, showing intrusive ads and stealing money by charging paid subscriptions.
Top-Attacked Industries Globally
This month Education/Research remained in the 1st place in the attacked industries globally, followed by Communications and Government/Military.
- Education/Research
- Communications
- Government/Military
Top Ransomware Groups
The data is based on insights from ransomware “shame sites” run by double-extortion ransomware groups which posted victim information. RansomHub is the most prevalent ransomware group this month, responsible for 16% of the published attacks, followed by Akira with 6% and Killsec3 with 6%.
- RansomHub – RansomHub is a Ransomware-as-a-Service (RaaS) operation that emerged as a rebranded version of the previously known Knight ransomware. Surfacing prominently in early 2024 in underground cybercrime forums, RansomHub has quickly gained notoriety for its aggressive campaigns targeting various systems including Windows, macOS, Linux, and particularly VMware ESXi environments. This malware is known for employing sophisticated encryption methods.
- Akira – Akira Ransomware, first reported in the beginning of 2023, targets both Windows and Linux systems. It uses symmetric encryption with CryptGenRandom() and Chacha 2008 for file encryption and is similar to the leaked Conti v2 ransomware. Akira is distributed through various means, including infected email attachments and exploits in VPN endpoints. Upon infection, it encrypts data and appends a “. akira” extension to file names, then presents a ransom note demanding payment for decryption.
- KillSec3 – KillSec is a Russian-speaking cyber threat group that emerged in October 2023. Operating a Ransomware-as-a-Service (RaaS) platform, the group also offers a range of other offensive cybercriminal services, including DDoS attacks and so-called “penetration testing services.” A review of their victim list reveals a disproportionately high number of targets in India and an unusually low proportion of U.S. victims compared to similar groups. Their primary targets include the healthcare and government sectors.