The most commonly seen malware strains in 2021 include Agent Tesla, Qakbot, TrickBot, GootLoader and several others, according to a new list released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC).
The cybersecurity agencies said that in 2021, the top malware types included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware.
“Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations,” the agencies explained. “The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.”
The alert highlights the prolific malware strains Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot – all in use for more than five years – and Qakbot and Ursnif, which have been deployed for more than a decade.
The malware are typically updated and code from one may be reused for others, contributing to a strain’s longevity.
Both Qakbot and TrickBot are typically used to build out powerful botnets, networks of infected computers, often developed and operated by Eurasian cyber criminals “known for using or brokering botnet-enabled access to facilitate highly lucrative ransomware attacks,” the agencies said.
“According to U.S. government reporting, TrickBot malware often enables initial access for Conti ransomware, which was used in nearly 450 global ransomware attacks in the first half of 2021,” they said, referring to a Russia-based ransomware gang. “As of 2020, malicious cyber actors have purchased access to systems compromised by TrickBot malware on multiple occasions to conduct cybercrime operations,” the agencies wrote.
The agencies also warned that last year cyber criminals conducted phishing campaigns, using pandemic-related messaging to get access to data and credentials, with the malware Formbook, Agent Tesla and Remcos.
Paul Laudanski, head of threat intelligence at Tessian, noted that most of the malware strains utilize phishing emails and attachments because of how difficult it has been for traditional security detections to determine what is malicious and what is not.
Today’s threat actors, he said, take advantage of unique phishing URLs, with single-use links making it especially difficult for security agencies to verify the target location.
The agencies’ report notes that malware developers typically operate from permissive locations with “few legal prohibitions against malware development and deployment,” making it easy to constantly revamp their lucrative creations “with low risk of negative consequences.”
Some, according to the list, even market their malware as legitimate tools for remote management and penetration testing.
“Malicious cyber actors can purchase Remcos and Agent Tesla online for low cost and have been observed using both tools for malicious purposes,” they wrote.
Vulcan Cyber’s Kevin Broughton said the list is useful because it helps organizations prioritize patching and other mitigation activities to neutralize the most critical threats, particularly those that are known to have been exploited in the wild.
“Organizations that have programs in place to quickly analyze data like this and act on the information are much less likely to fall victim to exploits,” he said.
John Bambenek, principal threat hunter at Netenrich, said the information is neither “new to defenders” nor “groundbreaking.”
“What would really move the ball forward is sustained engagement to disrupt these threats, developing free tools to protect organizations (especially those without security teams), and working with backbone providers to block these threats at the network level, especially on consumer networks that have little to no protection,” he said.
Some security companies are already using the list to help defenders out. The cybersecurity company Tenable created its own list of common vulnerabilities and exposures (CVEs) that it says are tied to many of the malware strains listed.
In April, CISA worked with the ACSC, as well as the FBI, NSA and others to compile a list of the top 15 routinely exploited vulnerabilities in 2021. The list included Log4Shell, Microsoft bugs ProxyLogon and ProxyShell, as well as a vulnerability affecting Atlassian products.
Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.