Content, Breach, Content, Malware, Phishing, Ransomware, Security Program Controls/Technologies

CISA: Top 11 Malware Strains for 2021 Feature RATs, Trojans, Macro Downloaders, Loaders

skull of death on smartphone screen. Hacked mobile phone on laptop computer

The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) have jointly compiled an advisory of the top malware strains for 2021.

The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader. Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos and TrickBot for at least five years. Qakbot and Ursnif have been used for more than a decade.

Top 11 Malware Strains for 2021

Agent Tesla is capable of stealing data from mail clients, web browsers and File Transfer Protocol (FTP) servers. This malware can also capture screenshots, videos and Windows clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer. Its developers continue to add new functionality, including obfuscation capabilities and targeting additional applications for credential stealing.
Active Since: 2014.
Malware Type: RAT.
Delivery Method: Often delivered as a malicious attachment in phishing emails.

AZORult is used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials and cryptocurrency information. AZORult’s developers are constantly updating its capabilities.
Active Since: 2016.
Malware Type: Trojan.
Delivery Method: Phishing, infected websites, exploit kits (automated toolkits exploiting known software vulnerabilities) or via dropper malware that downloads and installs AZORult.

FormBook is an information stealer advertised in hacking forums. FormBook is capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS), such as CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability.
Active Since: At least 2016.
Malware Type: Trojan.
Delivery Method: Usually delivered as an attachment in phishing emails.

Ursnif is a banking Trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files. Based on information from trusted third parties, Ursnif infrastructure is still active as of July 2022.
Active Since: 2007.
Malware Type: Trojan.
Delivery Method: Usually delivered as a malicious attachment to phishing emails.

LokiBot is a Trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.
Active Since: 2015.
Malware Type: Trojan.
Delivery Method: Usually delivered as a malicious email attachment.

MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack.
Active Since: At least 2019.
Malware Type: Macro downloader.
Delivery Method: Usually distributed as an email attachment.

NanoCore is used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared among malicious cyber actors.
Active Since: 2013.
Malware Type: RAT.
Delivery Method: Has been delivered in an email as an ISO disk image within malicious ZIP files; also found in malicious PDF documents hosted on cloud storage services.

Qakbot was originally observed as a banking Trojan but has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets.
Active Since: 2007.
Malware Type: Trojan.
Delivery Method: May be delivered via email as malicious attachments, hyperlinks, or embedded images.

Malware Gets Tricky

Remcos is marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system. Malicious cyber actors then use the Remcos backdoor to issue commands and gain administrator privileges while bypassing antivirus products, maintaining persistence, and running as legitimate processes by injecting itself into Windows processes.
Active Since: 2016.
Malware Type: RAT.
Delivery Method: Usually delivered in phishing emails as a malicious attachment.

TrickBot malware is often used to form botnets or enabling initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware. In 2020, cybercriminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot’s infrastructure is still active in July 2022.
Active Since: 2016.
Malware Type: Trojan.
Delivery Method: Usually delivered via email as a hyperlink.

GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.
Active Since: At least 2020.
Malware Type: Loader.
Delivery Method: Malicious files available for download on compromised websites that rank high as search engine results.

Mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.