The U.S. Cybersecurity and Infrastructure Security Agency has published a list of the top malware strains identified in 2021. Malware is used by threat actors to compromise devices, giving them a backdoor into devices and networks for performing a range of nefarious activities. Malware can also be destructive and be used to sabotage systems, such as wipers that delete all data in systems. The rise in the value of cryptocurrencies has seen an increase in the use of cryptocurrency miners, which hijack the resources of systems for mining cryptocurrencies. Malware such as worms are able to not just compromise one device, but also self-propagate and infect all other vulnerable devices on a network.
In recent years there has been a major increase in the use of ransomware. Ransomware encrypts files on targeted systems to prevent data access, and a ransom demand is issued for the keys to unlock the encryption. Most ransomware variants also support data exfiltration, and files are stolen prior to encryption. The ransom must then be paid not just to decrypt files, but also to prevent the publication or sale of the stolen data. While ransomware is a type of malware, it is common for threat actors to use malware such as Remote Access Trojans (RATs) to gain initial access to networks, and for the access to be sold to ransomware gangs.
Malware is installed using a variety of attack vectors. Malware is commonly delivered via email, through the exploitation of vulnerabilities in Remote Desktop Protocol, and by exploiting known vulnerabilities in software. Initial access to accounts may be gained using brute force tactics to guess weak credentials. With such a variety of attack vectors, there is no single cybersecurity measure that can be used to block all malware infections. It should also be noted that while antivirus software can detect malware based on malware signatures in the definition lists of the software, it cannot block malware unless there is such a signature in the definition list. Many different variants of malware are released, and small tweaks can be all that are required to evade antivirus solutions.
In 2021, remote access Trojans, banking Trojans, information stealers, and malware were the most common types of malware used in attacks. The top malware strains in 2021 were:
- Agent Tesla – Information stealer
- AZORult – Information stealer
- Formbook – Information stealer
- Ursnif – Banking Trojan and information stealer
- LokiBot – Trojan information stealer
- MOUSEISLAND – Ransomware dropper
- NanoCore – Information stealer
- Qakbot – Banking Trojan, commonly used for reconnaissance and data exfiltration, and delivering additional malware payloads
- Remcos – Remote management and pen testing tool used to create a backdoor in victims’’ systems
- TrickBot – Banking Trojan cum botnet cum malware dropper
- GootLoader – Malware loader
These malware strains have been used in attacks for several years and have evolved to make them more evasive and provide them with new capabilities. Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot have all been used for more than 5 years, while Qakbot and Ursnif have been in use for more than a decade.
In addition to providing access to victims’ systems to the malware gangs, Qakbot and TrickBot are malware droppers and have been extensively used to give access to systems to ransomware gangs such as Conti. The Conti gang is known to have conducted at least 450 ransomware attacks in the first half of 2021. Throughout 2021, the malware strains Formbook, Agent Tesla, and Remcos have been extensively distributed in phishing emails, taking advantage of the pandemic and using COVID-19-themed lures.
CISA has provided a list of recommended mitigations for blocking malware threats and reducing the impact of successful attacks, the most important of which are to update software and patch promptly, enforce multifactor authentication, secure and monitor RDP and other potentially risky services, and provide end user security awareness training.