Researchers have unearthed a novel method employed by hackers to deploy the Remote Access Trojan (RAT) Remcos, evading traditional security measures and gaining unauthorized access to victims’ devices. Meanwhile, Blackbasta has surged into the top three of the most wanted ransomware groups, and Communications has emerged as the third most exploited industry in Africa.

 Check Point® Software Technologies Ltd. a global leader in AI-powered, cloud-delivered cybersecurity solutions, has released the Global Threat Index for March 2024. Recent investigations have unveiled cybercriminals’ use of Virtual Hard Disk (VHD) files to distribute the Remote Access Trojan (RAT) Remcos, circumventing conventional security protocols. Lockbit3 has maintained its dominance as the most prevalent ransomware group in March, despite a significant decrease in activity following law enforcement intervention in February.

RELATED: Government and military sectors in Africa most impacted by malware attacks

Eight African countries are among the top 20 countries most targeted by cyber criminals.  These are Ethiopia (2),  Zimbabwe (3), Maldives (4), Kenya (7), Uganda (8), Angola (11), Morocco (17) and Nigeria (20).  South Africa has dropped eight places and ranks 64th as the most targeted.

Remcos, a well-known malware dating back to 2016, has resurfaced with a new attack strategy, infiltrating victims’ devices and granting cybercriminals unfettered access. Initially intended for legitimate remote system management, Remcos has been repurposed by threat actors to execute malicious activities, including data exfiltration, keystroke logging, and transmission of sensitive information to designated servers. Moreover, the RAT boasts mass mailer capabilities, enabling the orchestration of distribution campaigns and the establishment of botnets. In March, Remcos ascended to the fourth position on the top malware list, underscoring its escalating threat level.


Maya Horowitz, VP of Research at Check Point Software says, “The evolving tactics of cyberattacks underscore the dynamic nature of cybercriminal strategies. It is imperative for organizations to adopt proactive cybersecurity measures, including robust endpoint protection and comprehensive employee training, to safeguard against evolving threats.”

Check Point’s Ransomware Index sheds light on ransomware activities through “shame sites” operated by double-extortion ransomware groups. Lockbit3 continues to lead the ranking with 12% of reported attacks, followed by Play at 10%, and Blackbasta at 9%. Notably, Blackbasta has surged into the top three, following its recent cyberattack on Scullion Law, a Scottish legal firm.

The top exploited vulnerabilities in Africa in March include “Web Servers Malicious URL Directory Traversal,” impacting 50% of organizations globally, “Command Injection Over HTTP” at 48%, and “HTTP Headers Remote Code Execution” at 43%.


Top Three Malware Families in Africa:

  1. FakeUpdates: A JavaScript downloader, known as SocGholish, responsible for distributing additional malware payloads. The average global impact of FakeUpdates is at 6.47%, in South Africa it is at 8.55% while Nigeria is at 29.73%
  2. Qbot: A multipurpose malware targeting credential theft, keystroke logging, and additional malware deployment. The average global impact of Qbot is 2.66%, in South Africa it is at 3%, Nigeria at 6.7% and Zimbabwe at 40%.
  3. Formbook: An Infostealer targeting Windows OS, renowned for its strong evasion techniques and affordability in underground forums. The average global impact of Qbot is 2.43%, South Africa at less than 1% and Mozambique at 3.12%.

Top Mobile Malware in Africa:

Last month Anubis was in first place as the most prevalent Mobile malware, followed by AhMyth and Cerberus.

  1. ↔ Anubis – Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
  2. ↔ AhMyth – AhMyth is a Remote Access Trojan (RAT) discovered in 2017. It is distributed through Android apps that can be found on app stores and various websites. When a user installs one of these infected apps, the malware can collect sensitive information from the device and perform actions such as keylogging, taking screenshots, sending SMS messages, and activating the camera, which is usually used to steal sensitive information.
  3. ↑ Cerberus – First seen in June 2019, Cerberus is a Remote Access Trojan (RAT) with specific banking screen overlay functions for Android devices. Cerberus operates in a Malware as a Service (MaaS) model, taking the place of discontinued bankers like Anubis and Exobot. Its features include SMS control, keylogging, audio recording, location tracker, and more.

Top-Attacked Industries in Africa and globally:

Last month Education/Research remained in first place in the most attacked industries globally, followed by Government/Military and Communications. In Africa however, Retail/Wholesale, Communications and Utilities are at the top of the list.

Global Industries

  1. Education/Research
  2. Government/Military
  3. Communications

Africa Industries

  1. Retail/Wholesale
  2. Communications
  3. Utilities
  4. Government/Military
  5. Finance/Banking

Top Ransomware Groups Globally

This section features information derived from ransomware “shame sites” operated by double-extortion ransomware groups which posted the names and information of victims. The data from these shame sites carries its own biases, but still provides valuable insights into the ransomware ecosystem.

Lockbit3 was the most prevalent ransomware group last month, responsible for 12% of the published attacks, followed by Play with 10% and Blackbasta with 9%.

  1. LockBit3 – LockBit3 is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries and does not target individuals in Russia or the Commonwealth of Independent States. Despite experiencing significant outages in February 2024 due to law enforcement action, LockBit3 has resumed publishing information about its victims.
  2. Play – Play Ransomware, also referred to as PlayCrypt, is a ransomware group that first emerged in June 2022. This ransomware has targeted a broad spectrum of businesses and critical infrastructure across North America, South America, and Europe, affecting approximately 300 entities by October 2023. Play Ransomware typically gains access to networks through compromised valid accounts or by exploiting unpatched vulnerabilities, such as those in Fortinet SSL VPNs. Once inside, it employs techniques like using living-off-the-land binaries (LOLBins) for tasks such as data exfiltration and credential theft.
  3. Blackbasta– BlackBasta ransomware was first observed in 2022 and operates as ransomware-as-a-service (RaaS). The threat actors behind it mostly targets organizations and individuals by exploiting RDP vulnerabilities and phishing emails to deliver the ransomware.

The evolving threat landscape necessitates heightened vigilance and proactive cybersecurity measures across industries in Africa. Organizations are encouraged to fortify their defenses and prioritize cybersecurity resilience to mitigate the risks posed by emerging malware strains and exploitation tactics.

More in Features

You may also like