ZDNet journalists note that Malwarebytes experts also drew attention to the surge in LokiBot activity, confirming the findings of CISA specialists.

LokiBot is one of the most dangerous infostealers at the moment. The Trojan has been known to cybersecurity experts since the mid-2010s.

For many years, its source code was distributed on hacker forums completely free of charge, which made LokiBot one of the most popular password stealing tools (mainly among low and medium-skilled cybercriminals).

Currently, several hack groups actively use malware at once, spreading it using a variety of methods, from email spam to hacked installers and malicious torrent files.

“By infecting victims’ computers, LokiBot focuses on finding locally installed applications and retrieving credentials from their internal databases. For example, LokiBot steals data from browsers, email clients, FTP applications and cryptocurrency wallets”, – inform DHS CISA researchers.

Today LokiBot is no longer just an info-stealer, but a more complex threat. Thus, the malware is equipped with a keylogger that intercepts keystrokes in real time (in order to steal passwords that are not always stored in the internal database of the browser), and a utility for creating screenshots (usually used to capture documents after they have been opened on a computer victims). In addition, LokiBot also acts as backdoor, allowing hackers to launch other malware on infected hosts.

The data stolen by LokiBot usually ends up on underground marketplaces. According to KELA analysts, LokiBot is one of the main providers of credentials for the Genesis marketplace.

In 2019, SpamHaus experts named LokiBot the malware with the most active command servers, Any.Run experts placed LokiBot in 4th place in the ranking of the most common threats in 2019, and in the SpamHaus ranking for the first half of 2020, LokiBot confidently occupies second place.

The post CISA experts warned about the growth of LokiBot infostealer activity appeared first on Gridinsoft Blog.

The top includes malware designed to steal all types of confidential information, bank details, and remote access tools to control a hacked host.

No.1 Emotet – 36,026 samples

The Trojan was first discovered in 2014 and was used to intercept data transmitted through secure connections. Recall that in September of this year, Emotet returned to life after 4 months of inactivity. Operators sent emails containing malicious files and links for malware downloads. The victims of the campaign are users who speak Polish and German.

No.2 Agent Tesla – 10 324

Agent Tesla is an advanced tool for remote access (RAT). The malware has been infecting computers since 2014, acting as a keylogger and password stealer.

No.3 NanoCore – 6,527

NanoCore is the most popular tool among all RATs. In addition to providing remote access to the victim host, it can log keys, spy, execute files, capture video and audio, edit the registry, and control the mouse.

No.4 LokiBot – 5693

LokiBot has appeared in clandestine forums as an information thief and keylogger, but further development has added various features that allow it to avoid detection and collect confidential information.

No.5 Ursnif – 4,185

Ursnif is usually associated with data theft, but some versions come with such components as backdoors, spyware, or files’ embedding. Security researchers also associate with this threat the deployment of another malware, the GandCrab.

No.6 FormBook – 3,548

Malicious software was developed to capture data typed on the keyboard in web forms. Its functions include collecting credentials from web browsers (cookies, passwords), creating screenshots, stealing clipboard contents, keeping a key log, downloading and running executable files from the management and control server, and stealing passwords from email clients.

No. 7 HawkEye – 3,388

The keylogger supports intercepting keystrokes and allows stealing credentials from various applications and the clipboard.

No.8 AZORult – 2 898

The main function of the malware is to collect and extract data from a compromised system, including passwords stored in browsers, mail and FTP clients, cookies, web forms, cryptocurrency wallets, and correspondence in instant messengers.

No.9 TrickBot – 2,510

Initially, TrickBot was used only in attacks against Australian users, but in April 2017, it began to be used in attacks on banks in the USA, Great Britain, Germany, Ireland, Canada, New Zealand, Switzerland, and France. Typically, it is distributed through Emotet and can download other malicious programs to the system (for example, Ryuk ransomware).

No.10 njRAT – 2,355

njRAT is based on .NET and allows attackers to control the system completely. Previously, the Trojan was distributed via spam messages containing advertising of cheat codes and a license key generator for the game “Need for Speed: World”. It has also been used in several malicious campaigns that use OpenDocument Text (ODT) files.

As was said before, the Check Point Research Team published the Global Threat Index report, listing the most dangerous malware of November 2019, so in the November ranking, in addition to obvious threats to mobile devices, also was leading Emotet.

The post Emotet topped the rating of the most common threats in 2022 appeared first on Gridinsoft Blog.