Remcos Trojan Linked to Cyber Espionage Operations Against Ukrainian Government
by D. Howard Kass • Mar 13, 2023
The Remcos Trojan, linked to Russia’s invasion of Ukraine, is reportedly being used by threat actors to target Ukrainian government entities in cyber espionage operations, Check Point Software said in its newly released Global Threat Index for February 2023.
Remcos Malware Tops the List
Remcos tops the list of infamous malware included in Check Point’s ranking, with the notorious Emotet and Formbook Infostealer following in second and third place, respectively. Remcos had not appeared in the security provider’s top 10 list since December 2022 and had not topped the ranking since last October.
Despite a 44% slide in the average number of weekly attacks per organization between October 2022 and February 2023, there was no dip in the malevolent nature of attacks. In one particularly virulent incident, hackers impersonated Ukraine’s telephone company Ukrtelecom JSC, which doubles as an ISP in the mobile market, and in a mass email distribution used a malicious RAR attachment to spread the Remcos Trojan.
Commenting on the findings, Maya Horowitz, Check Point’s vice president of research, said:
“It’s important that all organizations and government bodies follow safe security practices when receiving and opening emails. Do not download attachments without scanning the properties first. Avoid clicking on links within the body of the email and check the sender address for any abnormalities such as additional characters or misspellings.”
By industry, education/research remained the most targeted sector by malware attackers, followed by government/military and then healthcare, according to the report.
Qbot, Formbook and Emotet on the Attack
Qbot, a banking trojan designed to steal a victim’s banking credentials, was the most prevalent malware last month, with an impact of more than 7% on worldwide organizations. Formbook, a infostealer targeting Windows OS, followed at 5%. Emotet, formerly a banking trojan but now a distributor of malware to other campaigns, garnered a 4% impact on global businesses.
Last month “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, impacting 47% of organizations globally. This was followed by “Web Server Exposed Git Repository Information Disclosure,” which impacted 46% of organizations worldwide. “Apache Log4j Remote Code Execution” is the third most used vulnerability, with a global impact of 45%.
In February, Anubis remained the most prevalent mobile malware, followed by Hiddad and AhMyth. Anubis is a banking Trojan malware designed for Android mobile phones. Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS. AhMyth is a Remote Access Trojan (RAT) distributed through Android apps that can be found on app stores and various websites.
“While there has been a decrease in the number of politically motivated attacks on Ukraine, they remain a battleground for cybercriminals,” Horowitz said. “Hacktivism has typically been high on the agenda for threat actors since the Russo-Ukrainian war began and most have favored disruptive attack methods such as DDoS to garner the most publicity.”