The most common malware for September 2021

Check Point Research, the Threat Intelligence division of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), the world’s leading provider of cybersecurity solutions, published the Global Threat Index for September 2021. The research team reports that Trickbot returned to the top of the list, after falling to second place in August after a quarter of ».

The remote access trojan, njRAT, entered the top ten for the first time, taking the place of Phorpiex, which is no longer active. Trickbot is a banking trojan that can steal financial information, account credentials and personal data, as well as spread to a network and launch a ransomware attack. Since the removal of Emotet last January, the Trickbot trojan has gained popularity. It is constantly being upgraded with new capabilities, features and distribution channels that allow it to be a flexible and customizable malware that can be distributed as part of multi-purpose campaigns.

“In the same month that Trickbot once again became the most prevalent malware, it was reported that one of its members had been arrested following a US investigation,” said Maya Horowitz, VP Research at Check Point Software. “Apart from other allegations that have been filed this year in the fight against the trojan, we hope that the dominance of the gang will end soon. But, as always, there is still a long way to go. This week our researchers reported that in 2021 there are 40% more attacks per week on organizations worldwide compared to 2020, but most, if not all, of them could have been prevented. “Organizations should no longer delay adopting a prevention-first approach to cybersecurity.”

CPR also revealed this month that “Web Server Exposed Git Repository Information Disclosure” is the most common vulnerability to be exploited, affecting 44% of organizations worldwide, followed by “Command Injection Over HTTP” affecting 43% of organizations worldwide. HTTP Headers Remote Code Execution ranks third on the list of most vulnerable vulnerabilities, with a global impact of 43%.

Top malware families

* The arrows refer to the change of the ranking in relation to the previous month.

As of September, Trickbot is the most popular malware affecting 4% of organizations worldwide, followed by Formbook and XMRig, each affecting 3% of organizations worldwide.

1. ↑ Trickbot – Trickbot is a modular Botnet and Banking Trojan that is constantly updated with new features, capabilities and distribution channels. This allows Trickbot to be a flexible and customizable malware that can be distributed as part of multipurpose campaigns.

2. book Formbook – Formbook is an infostealer that collects credentials from various web browsers and screenshots, monitors and records keystrokes, and can download and execute files according to C&C commands.

3. M XMRig – XMRig is an open source CPU mining software used for the Monero cryptocurrency mining process and first appeared in May 2017.

The most exploitable vulnerabilities

In September, “Web Server Exposed Git Repository Information Disclosure” was the most exploited vulnerability, affecting 44% of organizations worldwide, followed by “Command Injection Over HTTP” which affects 43% of organizations worldwide. HTTP Headers Remote Code Execution ranks third on the list of most vulnerable vulnerabilities, with a global impact of 43%.

1. ↔ Web Server Exposed Git Repository Information Disclosure – Vulnerability of information disclosure has been reported in Git Repository. Successfully exploiting this vulnerability could allow an account to be inadvertently disclosed.

2. ↑ Command Injection Over HTTP – A command distribution via HTTP vulnerability has been reported. A remote intruder can take advantage of this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.

3. ↓ HTTP Headers Remote Code Execution (CVE-2020-10826, CVE-2020-10827, CVE-2020-10828, CVE-2020-13756) – HTTP headers allow the client and server to forward additional information with a request HTTP. A remote intruder can use a vulnerable HTTP header to execute arbitrary code on the victim’s machine.

Top Mobile Malwares

In September, xHelper remained at the forefront of the most prevalent mobile malware, followed by AlienBot and FluBot.

1. xHelper – A malicious application that first appeared in March 2019 and is used to download other malicious applications and display ads. The application can be hidden from the user and can even be reinstalled if it is removed.

2. AlienBot – The AlienBot family of malware is a Malware-as-a-Service (MaaS) for Android devices that allows a remote intruder to initially enter malicious code into legitimate financial applications. The attacker gains access to the victims’ accounts and eventually takes full control of their device.

3. FluBot – FluBot is a malicious Android software that is distributed via phishing and usually impersonates transport logistics companies. As soon as the user clicks on the link in the message, FluBot is installed and accesses all the sensitive information on the phone.

The top 10 in Greece

Malware name

Global Impact

Impact on Greece







Trick bot





















Mass logger



Malware families in detail

AgentTesla is an advanced RAT (Remote Access Trojan) that acts as a keylogger and password thief. Active since 2014, AgentTesla can track and collect victim keypad input and draft system, and capture screenshots and extract credentials imported for a variety of software installed on the victim machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla sells openly as a legal RAT with customers paying $ 15- $ 69 for licenses.

FormBook is an InfoStealer that targets the Windows operating system and was first detected in 2016. It is advertised in hacking forums as a tool that has powerful avoidance techniques and relatively low prices. FormBook collects credentials from various web browsers and screenshots, monitors and records keyboards, and can download and execute files according to C & C instructions given to it.

Trickbot is a modular Botnet and Banking Trojan that targets Windows platforms and is mainly transmitted via spam or other malware families such as Emotet. Trickbot sends information about the infected system and can also download and execute modules arbitrarily from a wide range of available, such as a VNC module for remote use or an SMB module for deployment within an affected network. Once a machine is infected, the threat agents behind Trickbot malware use this wide range of modules not only to steal bank credentials from the target computer, but also for lateral movement and recognition within the organization itself, before a targeted attack. ransomware throughout the company.

Remcos is a RAT that first appeared in 2016. Remcos is distributed through malicious Microsoft Office documents that attach to SPAM emails and is designed to bypass Microsoft Windowss UAC security and run high-level malware privileges.

NanoCore is a Remote Access Trojan, first spotted in nature in 2013 and targeting Windows users. All versions of RAT have basic add-ons and features such as screen capture, cryptocurrency mining, remote desktop control and webcam session theft.

Vidar is an infolstealer that targets Windows operating systems. First detected in late 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar has been sold on various online forums and a malware dropper has been used to download GandCrab ransomware as its secondary payload.

Known since 2011, Glupteba is a backdoor that has gradually matured into a botnet. Until 2019, it included a C&C address update mechanism via public BitCoin listings, a built-in browser theft feature, and an operator router.

An android Spyware on Google Play, designed to steal SMS messages, contact lists and device information. In addition, the malware silently signs the victim for premium services on advertising sites.

Lovgate is a computer “worm” that can spread through network sharing, e-mail, and file sharing networks. Once installed, the program copies to various folders on the victim’s computer and distributes malicious files that result in remote access to attackers.

Masslogger is a .NET credential thief. This threat is an identification tool that can be used to extract data from targeted servers.

Check Point Software’s Global Threat Impact Index and ThreatCloud Map are based on the company’s ThreatCloud intelligence division. ThreatCloud provides real-time threat information from hundreds of millions of sensors worldwide, through networks, endpoints, and mobile devices. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research, the Intelligence & Research department of Check Point Software Technologies.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!