The global attack targeted airlines and defense companies from around the world, including the Czech Republic
„The most frequently detected malicious code in May was spyware Agent Tesla, and we recorded a major offensive campaign worldwide on May 30. However, it is interesting that this campaign was practically non-existent in the Czech Republic and spyware attacked around the middle of May 12 and 15,Says Martin Jirkal, head of the analytical team at ESET Research in Prague. “Spyware attacks primarily through dangerous e-mail attachments. In May, users were able to find, for example, attachments named Factura.exe or PO # 22687_pdf.exe in their e-mails. The attackers used only attachments from global campaigns and did not locate them in Czech,He adds.
The decline in detections may be a harbinger of new attacks
Even in the case of the Formbook and Fareit password stealer spyware, the attackers did not actively use Czech in May. Fareit most often hid in attachments called “Purchase Inquiry.exe” or “Termination Letter.exe”. The formbook then most often appeared in the appendix “RFQ-22-03795.exe” and the offensive campaigns were conducted mainly in Serbian. “The only case in which the attackers probably intentionally used Czech in the attack campaign was an attachment from the Fareit password stealer attack from May 9 to 10, entitled Orders (P.O_R6790074) _INTERCOM_Bohemia.exe. It was a case where the attackers tried to create a targeted attack beyond the global campaign. However, we repeatedly see that they do not use Czech correctly, which fortunately can warn users in time,“Explains Jirkal.
Although security experts monitor Agent Tesla and Formbook and password stealer Fareit spyware in the Czech environment on a regular and long-term basis, they recorded an overall decline in their activity in May. Each of them appeared in about a tenth of all detections.
Experts have discovered a dangerous virus. To open it, just open the document in Word
„We have been observing this downward trend in the number of detected cases since April this year. Since about February, we have also been watching how the order of the most common malicious codes for the Windows operating system in the Czech Republic changes regularly. Formbook spyware, for example, came to the fore last month, although we have so far detected the Tesla Agent spyware as the biggest threat without major fluctuations. How likely this situation is to be affected by current geopolitical events and the related activity of the attacking groups is likely to be seen. In our experience, this is probably a period of rest before a larger wave of new and more successful attacks,Explains Jirkal.
Let’s not underestimate the security of our login details
The main target of all the mentioned attacks are mainly user passwords. After being stolen, the attackers can monetize them on the black market or use them for further attacks. Security experts have repeatedly advised users not to underestimate the secure management of their credentials. In the case of a spyware attack, the passwords that users store in their Internet browsers are most at risk. They are not properly secured against these attacks.
„We know from regular surveys that the creation of strong passwords and their subsequent safe storage has long been underestimated in the Czech Republic. A strong password should be at least ten characters long, such as uppercase and lowercase letters, numbers, or special characters, if the service allows it. However, users usually need to write more complex passwords somewhere, and this is where a security gap most often arises,Says Jirkal of ESET Research.
Cybercriminals in the Czech Republic attacked the virus used in the conflict in Ukraine
Suitable specialized tools that store passwords in encrypted form are, for example, password managers, which users can purchase as a service independently or as part of quality security solutions. In addition, modern antivirus software can effectively protect devices and sensitive data from attack if a user retrieves a dangerous attachment from their e-mail, for example, thanks to machine learning technology.
The most common cyber threats to the Windows operating system in the Czech Republic in May 2022:
- MSIL / Spy.AgentTesla Trojan (14.06%)
- Win32/PSW.Fareit trojan (10,67 %)
- Win32/Formbook trojan (9,18 %)
- MSIL/Spy.Agent.AES trojan (4,82 %)
- Win32/Agent.TJS trojan (3,84 %)
- MSIL/Spy.Agent.CVT trojan (2,30 %)
- Win32/Spy.Weecnaw trojan (1,67 %)
- BAT/CoinMiner.AUB trojan (1.37 %)
- VBS / KillAV.NAS trojan (1.26%)
- Win32/Rescoms trojan (1,11 %)