SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Check Point Research identifies top malware threats to NZ
Mon, 14th Mar 2022
FYI, this story is more than a year old

Check Point Research (CPR), the Threat Intelligence arm of Check Point Software, has published its latest Global Threat Index, identifying the top malware affecting New Zealanders in February 2022.

In February, the top malware impacting New Zealand cyber incidents was Sohanad (3.96%), followed by SnakeKeylogger and Formbook, while the botnet and banking trojan Trickbot has fallen down the list.

CPR revealed during the past few weeks they have not seen new Trickbot campaigns, which could be due to some Trickbot members joining the Conti ransomware group, as suggested in the recent Conti data leak.

However, Sohanad has increased from impacting 1.79% of New Zealand cyber incident cases in January to 3.96%. The malware is a family of worms, which can be spread via removable of network drives, particularly messenger applications.

Top five malware in New Zealand for February:

1. Sohanad, 3.96% (percentage of New Zealand cyber incident cases impacted by this specific malware).

Sohanad is a family of worms which changes system settings to facilitate its actions on an infected computer and contact a remote host. It disables the registry editor and Windows task manager upon execution. It also modifies the browser homepage and terminates certain processes.

Sohanad is spread via removable or network drives, particularly messenger applications. It can also download a component that contains a list of URLs where the worm can download an updated copy of itself. This family of worms is created using an AutoIt script, a scripting language for Windows.

2. SnakeKeylogger, 1.80% (percentage of New Zealand cyber incident cases impacted by this specific malware).

Snake is a modular .NET keylogger and credential stealer first spotted in late November 2020; Its primary functionality is to record users keystrokes and transmit collected data to the threat actors.

Snake infections pose a major threat to users' privacy and online safety, as the malware can steal virtually all kinds of sensitive information and it is a particularly evasive and persistent keylogger, the researchers state.

3. Formbook, 1.80% (percentage of New Zealand cyber incident cases impacted by this specific malware).

FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price.

FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C-C.

4. AgentTesla, 1.08% (percentage of New Zealand cyber incident cases impacted by this specific malware).

AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim's keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.

5. Trickbot, 1.08% (percentage of New Zealand cyber incident cases impacted by this specific malware).

Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader.

Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network.

Once a machine is infected, the threat actors behind this malware, utilise this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organisation itself, prior to delivering a company-wide targeted ransomware attack.