Cybercriminals discover a new method of chain infection to distribute Remcos.

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of AI-based cloud cybersecurity solutions, has released its Global Threat Index for March 2024, highlighting the use of Virtual Hard Disk (VHD) files to deploy the Remcos remote access trojan (RAT). Meanwhile, Lockbit3 remains the most prevalent ransomware group, despite law enforcement intervention in February, with its presence on ransomware “shame sites” monitored by Check Point Software dropping from 20% to 12%.

Remcos is a malware that has been circulating since 2016. The latest campaign has successfully evaded security measures and granted cybercriminals unauthorized access to victims’ devices. Initially designed for remote system administration of Windows systems, attackers quickly began infecting devices, capturing screenshots, logging keystrokes, and transmitting collected data to host servers. In addition, the RAT also has mass email sending capabilities that can trigger distribution campaigns, and its various functions can be used to create botnets. Last month, it rose to the fourth position in the top malware list, climbing two spots from February.

Maya Horowitz, VP of Research at Check Point Software, emphasizes the evolving attack tactics of cybercriminals. She stresses the importance of prioritizing proactive measures such as maintaining vigilance, deploying robust endpoint protection, and fostering a cybersecurity awareness culture to collectively strengthen defenses against evolving cyberattacks.

Check Point Research’s threat index also highlights information from around 200 suspicious websites run by double extortion ransomware groups, 68 of which disclosed victim information this year to pressure them into paying. Lockbit3 continues to be the most significant ransomware, with 12% of detected incidents, followed by Play with 10% and Blackbasta with 9%. Blackbasta, entering the top three for the first time, claimed responsibility for a recent cyberattack on Scullion Law, a Scottish legal firm.

CPR also revealed that “Web Servers Malicious URL Directory Traversal” was the most exploited vulnerability, affecting 50% of companies, followed by “Command Injection Over HTTP” at 48%, and “Remote Code Execution via HTTP headers” at 43%.

In Spain, the top three most sought-after malware in March were FakeUpdates, Remcos, and Qbot. Meanwhile, the most targeted industries in Europe in March were Education/Research, Government/Military, and Healthcare.

Regarding mobile malware, Anubis maintained its position as the most used mobile malware in March, followed by AhMyth and Cerberus.

In the ransomware landscape, LockBit3, Play, and Blackbasta were the most prominent groups in March. LockBit3, a ransomware operating on a RaaS model, had a significant presence despite law enforcement actions. Play Ransomware targeted a wide range of entities in different regions, while Blackbasta, a RaaS operation, focused on exploiting RDP vulnerabilities and phishing emails to deliver ransomware.

Overall, the cybersecurity landscape continues to evolve, emphasizing the importance of proactive defense measures and awareness to combat cyber threats effectively. The insights provided by Check Point Research’s Global Threat Index offer valuable information to enhance cybersecurity strategies and protect against emerging threats in the digital landscape.

Scroll to Top