Snake Keylogger identified as top malware circulating in Australia

Snake Keylogger records users' keystrokes and transmit collected data to threat actors. It is usually spread through emails that include docx or xlsx attachments with malicious macros, but CPR researchers have also noticed that Snake Keylogger has also been spreading via PDF files. The CPR data has revealed Snake Keylogger is the leading malware family impacting Australian organisations, accounting for 2.48 per cent of Australian cyber incidents.

Spreading malware via PDF files has proven to be effective for cyber criminals as PDFs are perceived to be "safer" in comparison to other file types. CPR researchers suspect that cyber criminals have had to become more creative by pivoting to new file types, due to Microsoft blocking by default internet macros in Office.

As evident with the recent Snake Keylogger campaigns, according to Maya Horowitz, VP research at Check Point Software, everything you do online puts you at risk of a cyber attack and opening a PDF document is no exception.

"Viruses and malicious executable code can lurk in multimedia content and links, with the malware attack, in this case Snake Keylogger, ready to strike once a user opens the PDF.

"Therefore, just as you would question the legitimacy of a docx or xlsx email attachment, you must practice the same caution with PDFs too.

"In today's landscape, it has never been more important for organisations to have a robust email security solution that quarantines and inspects attachments, preventing any malicious files from entering the network in the first place," Horowitz said.

CPR's Global Threat Index for May 2022 has also reported that Emotet, a self-propagating and modular Trojan, is still the most prevalent globally as a result of multiple widespread campaigns. Emotet is impacting 8 per cent of organisations worldwide

This malware is an agile malware proving profitable, CPR researchers added, due to its ability to remain undetected.

VIEW ALL

"Its persistence also makes it difficult to be removed once a device has been infected, making it the perfect tool in a cyber criminal's arsenal.

"Originally a banking Trojan, it is often distributed through phishing emails and has the ability to offer other malwares, enhancing its capacity to cause widespread damage."

Top malware families in Australia, May 2022

*The arrows relate to the change in rank compared to the previous month.

While Snake Keylogger has claimed the top spot as the leading malware family impacting Australian organisations, Lokibot and Emotet are affecting 2.48 per cent and 1.86 per cent of Australian cyber incidents, respectively.

↑ Snake Keylogger: Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; Its primary functionality is to record users' keystrokes and transmit collected data to the threat actors. Snake infections pose a major threat to users' privacy and online safety, as the malware can steal virtually all kinds of sensitive information and it is a particularly evasive and persistent keylogger.

↑ Lokibot: First identified in February 2016, Lokibot is a commodity info stealer with versions for both the Windows and Android OS. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY and more. Lokibot is sold on hacking forums, and it is believed that its source code was leaked, thus allowing numerous variants to appear. Since late 2017, some Android versions of Lokibot include ransomware functionality in addition to their info stealing capabilities.

↓ Emotet: Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used as a banking Trojan, but recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.

Top exploited vulnerabilities

The CPR data also revealed that "web servers' malicious URL directory traversal" is the most commonly exploited vulnerability, impacting 46 per cent of organisations worldwide, closely followed by "Apache Log4j remote code execution" which has a global impact of 46 per cent. The “web server exposed git repository information disclosure” is in third place with a global impact of 45 per cent while cyber criminals globally have continued to target the education and research industry sectors, followed by the insurance, legal, government and military sectors.

Top mobile malware

AlienBot is the most prevalent mobile malware, according to the CPR data, followed by FluBot and xHelper.

AlienBot: AlienBot malware family is a Malware-as-a-Service (MaaS) for Android devices that allows a remote attacker, as a first step, to inject malicious code into legitimate financial applications. The attacker obtains access to victims' accounts, and eventually completely controls their device.

FluBot: FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed, the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list as well as sending SMS messages to other phone numbers.

xHelper: A malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisements. The application is capable of hiding itself from the user and reinstalling itself in the case that it was uninstalled.

[Related: ‘Unsustainable stress levels’ driving cyber security workers to quit]