The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) released a joint Cybersecurity Advisory (CSA) providing details on the top malware strains of 2021.
Cybercriminals often use malware to gain access to a computer or mobile device to deploy viruses, worms, Trojans, ransomware, spyware, and rootkits. The top malware strains in 2021 included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware.
Most of these top strains have been in use for more than five years, with their code bases evolving into multiple variations, CISA says. These variations are what allows malware developers to use the strains for extended periods of time, but this in turn provides organizations the opportunity to better prepare and defend against prominent strains.
Here are the top 10 malware strains from 2021:
1. Agent Tesla
Agent Tesla can steal data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. It can capture screenshots, videos, and Windows clipboard data. Agent Tesla is available online for purchase under the guise of being a legitimate tool for managing your personal computer. Its developers continue to add new functionality, including obfuscation capabilities and targeting additional applications for credential stealing.
AZORult is used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials, and cryptocurrency information. AZORult's developers are constantly updating its capabilities.
FormBook is an information stealer advertised in hacking forums. ForrmBook is capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS), such as CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability.
Ursnif is a banking Trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files.
LokiBot is a Trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.
MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack.
NanoCore is used for stealing victims' information, including passwords and emails. NanoCore could also allow malicious users to activate computers' webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared amongst malicious cyber actors.
Qakbot originally observed as a banking Trojan, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinksliplot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets.
Remcos is marketed as a legitimate software tool for remote management and penetration testing. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Remcos installs a backdoor onto a target system. Malicious cyber actors then use the Remcos backdoor to issue commands and gain administrator privileges while bypassing antivirus products, maintaining persistence, and running as legitimate processes by injecting itself into Windows processes.
TrickBot malware is often used to form botnets or enabling initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware. In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot's infrastructure is still active in July 2022.
Mitigations for top malware strains
CISA and ACSC recommend that all organizations take the time to review and improve their cybersecurity posture. The two agencies specifically encourage those in critical infrastructure to take these steps seriously and mitigate potential cyber threats.
For the top malware strains, the advisory provides six mitigations:
- Update software, including operating systems, applications, and firmware, on IT network assets.
- Enforce MFA.
- If you use RDP and/or other potentially risky services, secure and monitor them closely.
- Maintain offline (i.e., physically disconnected) backups of data.
- Provide end-user awareness and training.
- Implement network segmentation to separate network segments based on role and functionality.
See the full advisory from CISA and ACSC for additional information.