SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

Check Point reveals rise of NJRat & AgentTesla in cyber threat landscape

Thu, 9th Nov 2023
FYI, this story is more than a year old

The latest Global Threat Index, released by Check Point Research for October 2023, reveals significant shifts in the cyber threat landscape. Notable among these is the ascent of the Remote Access Trojan (RAT), NJRat, to the second position in the top malware families list, while an AgentTesla campaign was identified as being propagated through corrupted archive files.

In October 2023, Remote Access Trojan NJRat, known for targeting government agencies and organisations across the Middle East, jumped four places from sixth to second place. In addition, an advanced RAT AgentTesla was uncovered as part of a new mal-spam campaign. Throughout the month, the Education sector continued to be the most targeted industry.

AgentTesla was seen to be shared through archive files containing a malicious Microsoft Compiled HTML Help (.CHM) extension. These files, delivered via email as .GZ or .zip attachments with names related to recent orders and shipments, enticed targets to download the malware. Once installed, AgentTesla can keylog, access the file system, capture clipboard data and quietly shift stolen data to a Command and Control (C&C) server.

"It's vital we don't overlook the strategies hackers use to spread malware, like posing as familiar brands or sending malicious files via email," emphasised Maya Horowitz, VP Research at Check Point Software. "As November is a busy shopping period, we need to keep in mind that cybercriminals are actively exploiting our increased interest in online shopping and deliveries."

Check Point Research also disclosed that the Zyxel ZyWALL Command Injection (CVE-2023-28771) was the most abused vulnerability, impacting 42% of organisations globally, followed by Command Injection Over HTTP, which affects 42% of global organisations. The third most exploited vulnerability was Web Servers Malicious URL Directory Traversal, with a 42% global impact.

Formbook topped the list of most prevalent malware with an influence on 3% of worldwide organisations, followed closely by NJRat and Remcos, both impacting 2% of global organisations.

Formbook, an Infostealer which targets the Windows OS, collects credentials, screenshots, monitors and logs keystrokes, and can execute files per its C&C's commands. NJRat, a Trojan that mainly targets Middle East-based government bodies and organisations, spreads via phishing attacks and infected drives. Meanwhile, Remcos, another RAT, disseminates itself through malicious Microsoft Office documents attached to spam emails.

The most attacked industries globally remained the Education/Research sector, followed by the Communications and Government/Military sectors. Further, the most exploited vulnerability was Zyxel ZyWALL Command Injection (CVE-2023-28771), which impacted 42% of organisations globally, followed by Command Injection Over HTTP and Web Servers Malicious URL Directory Traversal, both affecting 42% of organizations worldwide.

Last month, the most prevalent Mobile malware was found to be Anubis, followed by AhMyth and Hiddad. These are all malicious software designed to steal sensitive information from Android mobile users.

The data used in the Global Threat Impact Index and ThreatCloud Map is obtained from hundreds of millions of sensors worldwide, enriched with AI-based engines and exclusive research findings from Check Point Research.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X