A new joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) details the 11 most-observed malware strains from the last year, including remote access Trojans, banking Trojans, information stealers and ransomware.
In the advisory, CISA along with the ACSC says most of these top malware strains have been in use for several years, with their respective code bases evolving into multiple variations.
Some of the strains are well-known to IT and security professionals, while some are newer strains designed for enabling initial access to ransomware strains.
To mitigate these threats, CISA recommends keeping software up to date to prevent exploitation of vulnerabilities, implementing and enforcing multi-factor authentication, securing and monitoring Remote Desktop Protocol and other risky services, securing backups offline and providing end user training and awareness.
Paul Laudanski, head of threat intelligence at cloud email security provider Tessian, called the list of top malware strains a “stark reminder” of the cyber threats organizations face.
“To keep your machine secure, keep your OS patched and updated at all times, update your applications regularly, use some sort of behavioral detection looking for malicious activity, and be critical of emails you receive even when they look to come from family and friends,” Laudanski says. “Machine learning tools can also be very helpful as well.”
Here’s CISA and ACSC’s list of top malware strains, in full.
Agent Tesla
- Overview: Agent Tesla is capable of stealing data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. This malware can also capture screenshots, videos, and Windows clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer. Its developers continue to add new functionality, including obfuscation capabilities and targeting additional applications for credential stealing.[3][4]
- Active Since: 2014
- Malware Type: RAT
- Delivery Method: Often delivered as a malicious attachment in phishing emails.
- Resources: See the MITRE ATT&CK page on Agent Tesla.
AZORult
- Overview: AZORult is used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials, and cryptocurrency information. AZORult’s developers are constantly updating its capabilities.[5][6]
- Active Since: 2016
- Malware Type: Trojan
- Delivery Method: Phishing, infected websites, exploit kits (automated toolkits exploiting known software vulnerabilities), or via dropper malware that downloads and installs AZORult.
- Resources: See the MITRE ATT&CK page on AZORult and the Department of Health and Human Services (HHS)’s AZORult brief.
FormBook
- Overview: FormBook is an information stealer advertised in hacking forums. ForrmBook is capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS)[7], such as CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability.[8][9]
- Active Since: At least 2016
- Malware Type: Trojan
- Delivery Method: Usually delivered as an attachment in phishing emails.
- Resources: See Department of Health and Human Services (HHS)’s Sector Note on Formbook Malware Phishing Campaigns.
Ursnif
- Overview: Ursnif is a banking Trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files.[10][11][12] Based on information from trusted third parties, Ursnif infrastructure is still active as of July 2022.
- Active Since: 2007
- Malware Type: Trojan
- Delivery Method: Usually delivered as a malicious attachment to phishing emails.
- Resources: See the MITRE ATT&CK page on Ursnif.
LokiBot
- Overview: LokiBot is a Trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.[13][14]
- Active Since: 2015
- Malware Type: Trojan
- Delivery Method: Usually delivered as a malicious email attachment.
- Resources: See CISA’s LokiBot Malware alert and the MITRE ATT&CK page on LokiBot.
MOUSEISLAND
- Overview: MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack.[15]
- Active Since: At least 2019
- Malware Type: Macro downloader
- Delivery Method: Usually distributed as an email attachment.
- Resources: See Mandiant’s blog discussing MOUSEISLAND.
NanoCore
- Overview: NanoCore is used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared amongst malicious cyber actors.[16][17][18]
- Active Since: 2013
- Malware Type: RAT
- Delivery Method: Has been delivered in an email as an ISO disk image within malicious ZIP files; also found in malicious PDF documents hosted on cloud storage services.
- Resources: See the MITRE ATT&CK page on NanoCore and the HHS Sector Note: Remote Access Trojan Nanocore Poses Risk to HPH Sector.
Qakbot
- Overview: originally observed as a banking Trojan, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets.[19][20]
- Active Since: 2007
- Malware Type: Trojan
- Delivery Method: May be delivered via email as malicious attachments, hyperlinks, or embedded images.
- Resources: See the MITRE ATT&CK page on Qakbot and the Department of Health and Human Services (HHS) Qbot/Qakbot Malware brief.
Remcos
- Overview: Remcos is marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system. Malicious cyber actors then use the Remcos backdoor to issue commands and gain administrator privileges while bypassing antivirus products, maintaining persistence, and running as legitimate processes by injecting itself into Windows processes.[21][22]
- Active Since: 2016
- Malware Type: RAT
- Delivery Method: Usually delivered in phishing emails as a malicious attachment.
- Resources: See the MITRE ATT&CK page on Remcos.
TrickBot
- Overview: TrickBot malware is often used to form botnets or enabling initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware. In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot’s infrastructure is still active in July 2022.[23][24][25][26]
- Active Since: 2016
- Malware Type: Trojan
- Delivery Method: Usually delivered via email as a hyperlink.
- Resources: See the MITRE ATT&CK page on Trickbot and the Joint CSA on TrickBot Malware.
GootLoader
- Overview: GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.[27]
- Active Since: At least 2020
- Malware Type: Loader
- Delivery Method: Malicious files available for download on compromised websites that rank high as search engine results
- Resources: See New Jersey’s Cybersecurity & Communications Integration Cell (NJCCIC) page on GootLooader and BlackBerry’s Blog on GootLoader
Read CISA’s advisory on the top malware strains for more information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply