Threat Coverage | Research

Aug 9, 2022

SafeBreach Coverage for US-CERT Alert (AA22-216A) – Top Malware Strains in 2021

On August 4, the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Center (ACSC) released a joint advisory US-CERT Alert (AA22-216A) 2021 Top Malware Strains that listed the most observed malware strains of 2021. These malware strains were frequently used by malicious actors to bypass organizational defenses and carry out their unauthorized objectives. According to the advisory, one key thing to note about these malware strains was their longevity. Constant innovations and variations by the threat actors have allowed some of these strains and their codebases to exist for nearly five years.

Threat actors used these malware to primarily deliver ransomware, gain authorized access, and steal sensitive data. Examples of the listed malware include viruses, trojans, ransomware, spyware, and rootkits.

Technical Details

According to the advisory, the top malware strains most frequently leveraged by threat actors in 2021 were Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader. With regards to their longevity, threat actors have used Qakbot and Ursnif for more than a decade, whereas Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot have been used very frequently for at least five years. This goes to show that while organizational defenses can stop known threats, small changes made to the codebase of an existing malware can potentially bypass existing security measures and allow the threat actor to carry out their malicious objectives.

  • Qakbot and TrickBot are commonly used by Eurasian threat actors to create botnets or broker botnet-enabled access to facilitate highly lucrative ransomware attacks.
  • According to the U.S. government, TrickBot is most frequently used to enable initial access for Conti Ransomware, which was used in nearly 450 ransomware attacks in the first half of 2021.
  • In 2021, mass phishing campaigns were created with Formbook, Agent Tesla, and Remcos malware that used COVID-19 themes to steal personal data from businesses and individuals.

Top Malware Strains from 2021 & Associated SafeBreach Coverage

  • Agent Tesla
    • This Remote Access Trojan (RAT) has been around since 2014 and is frequently delivered via phishing emails. It can steal data from email clients, web browsers, and FTP servers. It can also capture screenshots, videos, and scrape Windows clipboard data. It is available for purchase online under the guise of a genuine tool to manage your personal computer. Its developers continue to add new functionality, including obfuscation and credential stealing.
    • SafeBreach Coverage for Agent Tesla
      • #3277 Pre-execution phase of agent tesla malware
      • #3278 Write agent tesla malware to disk
      • #3279 Transfer of agent tesla malware over HTTP/S (Lateral Movement)
      • #3280 Transfer of agent tesla malware over HTTP/S (Infiltration)
      • #3281 Email agent tesla malware as a ZIP attachment (Lateral Movement)
      • #3282 Email agent tesla malware as a ZIP attachment (Infiltration)
  • AZORult
    • This Trojan has been active since 2016 and can be delivered via phishing, infected websites, exploit kits, or through dropper malware that downloads and installs it. It has been primarily used to steal information from compromised systems including browser data, user credentials, and cryptocurrency details. It is also being actively updated to add new functionality and bypass organizational security.
    • SafeBreach Coverage for AZORult
      • #2416 Email azorult malware as a ZIP attachment (Lateral Movement)
      • #2417 Email azorult malware as a ZIP attachment (Infiltration)
      • #3117 Pre-execution phase of azorult malware
  • FormBook
    • This Trojan has also been active since 2016 and is usually delivered via phishing emails. It is often advertised as an information stealer and is capable of keylogging and capturing browser or email client passwords. Its developers continue improving it to exploit the latest CVEs.
    • SafeBreach Coverage for FormBook
      • #4907 Pre-execution phase of formBook malware
      • #4908 Write formBook malware to disk
      • #4909 Transfer of formBook malware over HTTP/S (Lateral Movement)
      • #4910 Transfer of formBook malware over HTTP/S (Infiltration)
      • #4911 Email formBook malware as a ZIP attachment (Lateral Movement)
      • #4912 Email formBook malware as a ZIP attachment (Infiltration)
      • #6609 Write Xloader_Mac malware to disk
      • #6610 Transfer of Xloader_Mac malware over HTTP/S (Lateral Movement)
      • #6611 Transfer of Xloader_Mac malware over HTTP/S (Infiltration)
      • #6612 Email Xloader_Mac malware as a ZIP attachment (Lateral Movement)
      • #6613 Email Xloader_Mac malware as a ZIP attachment (Infiltration)
  • Ursnif
    • This Trojan (also known as Gozi) has been active since 2007 and is usually delivered as an attachment in a phishing email. This is a banking trojan that is used to steal financial information. It has evolved over the years to include a persistence mechanism, the ability to avoid sandboxes and VMs, and search capability for disk encryption software to attempt key extraction for unencrypted files. It is still active as of July 2022.
    • SafeBreach Coverage for Ursnif
      • #3042 Transfer of ursnif malware over HTTP/S (Lateral Movement)
      • #3043 Email ursnif malware as a ZIP attachment (Lateral Movement)
      • #3044 Email ursnif malware as a ZIP attachment (Infiltration)
      • #3080 Pre-execution phase of Ursnif v3 malware
      • #3196 Pre-execution phase of ursnif malware
  • LokiBot
    • This Trojan, which has been used to steal sensitive information, including user credentials, cryptocurrency wallets, and other credentials, has been active since 2015. It is delivered as a malicious attachment and was even disguised as a launcher for the Fortnite MPG.
    • SafeBreach Coverage for LokiBot
      • #5275 Pre-execution phase of lokibot malware
      • #5276 – Write lokibot malware to disk (Host-Level)
      • #5329 – Transfer of lokibot malware over HTTP/S (Lateral Movement)
      • #5330 – Transfer of lokibot malware over HTTP/S (Infiltration)
      • #5331 – Email lokibot malware as a ZIP attachment (Lateral Movement)
      • #5332 – Email lokibot malware as a ZIP attachment (Infiltration)
      • #5488 – Pre-execution phase of aa20-266a_lokibot malware (Host-Level)
      • #5489 – Write aa20-266a_lokibot malware to disk (Host-Level)
      • #5490 – Transfer of aa20-266a_lokibot malware over HTTP/S (Lateral Movement)
      • #5491 – Transfer of aa20-266a_lokibot malware over HTTP/S (Infiltration)
      • #5492 – Email aa20-266a_lokibot malware as a ZIP attachment (Lateral Movement)
      • #5493 – Email aa20-266a_lokibot malware as a ZIP attachment (Infiltration)
      • #5494 – Pre-execution phase of aa20-266a_lokibot malware (Host-Level)
      • #5495 – Write aa20-266a_lokibot malware to disk (Host-Level)
      • #5496 – Transfer of aa20-266a_lokibot malware over HTTP/S (Lateral Movement)
      • #5497 – Transfer of aa20-266a_lokibot malware over HTTP/S (Infiltration)
      • #5498 – Email aa20-266a_lokibot malware as a ZIP attachment (Lateral Movement)
      • #5499 – Email aa20-266a_lokibot malware as a ZIP attachment (Infiltration)
      • #5500 – Write aa20-266a_lokibot malware to disk (Host-Level)
      • #5501 – Transfer of aa20-266a_lokibot malware over HTTP/S (Lateral Movement)
      • #5502 – Transfer of aa20-266a_lokibot malware over HTTP/S (Infiltration)
      • #5503 – Email aa20-266a_lokibot malware as a ZIP attachment (Lateral Movement)
      • #5504 – Email aa20-266a_lokibot malware as a ZIP attachment (Infiltration)
      • #5505 – Communication with aa20-266a_lokibot using HTTP
      • #5506 – aa20-266a_lokibot HTTP post request Real c2
  • MOUSEISLAND
    • This Macro downloader has been active since 2019. It is usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack. It is usually delivered as an infected email attachment.
    • SafeBreach Coverage for MOUSEISLAND
      • (NEW) #7286 – Write UNC2198 BEACON malware to disk (Host-Level)
      • (NEW) #7287 – Transfer of UNC2198 BEACON malware over HTTP/S (Lateral Movement)
      • (NEW) #7288 – Transfer of UNC2198 BEACON malware over HTTP/S (Infiltration)
      • (NEW) #7289 – Email UNC2198 BEACON malware as a ZIP attachment (Lateral Movement)
      • (NEW) #7290 – Email UNC2198 BEACON malware as a ZIP attachment (Infiltration)
      • (NEW) #7291 – Write UNC2198 ICEDID malware to disk (Host-Level)
      • (NEW) #7292 – Transfer of UNC2198 ICEDID malware over HTTP/S (Lateral Movement)
      • (NEW) #7293 – Transfer of UNC2198 ICEDID malware over HTTP/S (Infiltration)
      • (NEW) #7294 – Email UNC2198 ICEDID malware as a ZIP attachment (Lateral Movement)
      • (NEW) #7295 – Email UNC2198 ICEDID malware as a ZIP attachment (Infiltration)
  • NanoCore
    • This RAT has been around since 2013 and has been used for stealing victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims. Its developers continue to add new capabilities, including making it available for purchase as a plug-in or as a malware kit. It has been delivered in an email as an ISO disk image within malicious ZIP files; it has also been found in malicious PDF documents hosted on cloud-storage services.
    • SafeBreach Coverage for NanoCore
      • #2814 Write nanocore malware to disk
      • #2815 Transfer of nanocore malware over HTTP/S (Lateral Movement)
      • #2816 Transfer of nanocore malware over HTTP/S (Infiltration)
      • #2817 Email nanocore malware as a ZIP attachment (Lateral Movement)
      • #2817 Email nanocore malware as a ZIP attachment (Infiltration)
      • #3167 Pre-execution phase of nanocore malware
  • QakBot
    • This Trojan (also known as QBot or Pinksliplot) has been active since 2007 and is often delivered via email as a malicious attachment, hyperlink, or embedded image. It was originally used as a banking trojan, but has now evolved its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. It is very modular, which makes it very configurable.
    • SafeBreach Coverage for QakBot
      • #1359 Transfer of the QakBot Malware over HTTP/S
      • #1864 Email the QakBot malware as part of a ZIP attachment
      • #2066 Email the QakBot malware as part of a ZIP attachment (Infiltration)
  • Remcos
    • This RAT has been active since 2016 and is delivered via phishing emails as a malicious attachment. Remcos is marketed as a legitimate tool for remote management and penetration testing. Short for remote control and surveillance, it was leveraged by threat actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. It first installs a backdoor into the target system that can then be exploited to issue commands and gain admin privileges, while bypassing installed security like AV.
    • SafeBreach Coverage for Remcos
      • (NEW) #7296 – Write Remcos RAT malware to disk (Host-Level)
      • (NEW) #7297 – Transfer of Remcos RAT malware over HTTP/S (Lateral Movement)
      • (NEW) #7298 – Transfer of Remcos RAT malware over HTTP/S (Infiltration)
      • (NEW) #7299 – Email Remcos RAT malware as a ZIP attachment (Lateral Movement)
      • (NEW) #7300 – Email Remcos RAT malware as a ZIP attachment (Infiltration)
  • TrickBot
    • This Trojan, which is usually delivered via email as a hyperlink, has been active since 2016. It is often used to create botnets or enable initial access for Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware.
    • SafeBreach Coverage for TrickBot
      • #3003 – Email trickbot malware as a ZIP attachment (Infiltration)
      • #1382 – Transfer of the TrickBot Malware over HTTP (Lateral Movement)
      • #3002 – Transfer of trickbot malware over HTTP/S (Lateral Movement)
      • #2326 – Transfer of TrickBot malware dropper over HTTP/S (Lateral Movement)
      • #1868 – Email the TrickBot malware as part of a ZIP attachment (Infiltration)
      • #1887 – Email the TrickBot (21.5.2018) malware as part of a ZIP attachment (Infiltration)
      • #1560 – Transfer of the TrickBot Malware over HTTP/s (Lateral Movement)
      • #3004 – Email trickbot malware as a ZIP attachment (Lateral Movement)
      • #1387 – Write to Disk of TrickBot (Host Level)
      • #3085 – Pre-execution phase of TrickBot (21.5.2018) files malware (Host Level)
      • #3070 – Pre-execution phase of TrickBot malware (Host Level)
      • #2070 – Email the TrickBot malware as part of a ZIP attachment (Lateral Movement)
      • #2089 – Email the TrickBot (21.5.2018) malware as part of a ZIP attachment (Lateral Movement)
      • #1559 – Write TrickBot (21.5.2018) files to Disk (Host Level)
      • #2108 – Write TrickBot Files to Disk (Host Level)
      • #1381 – Write TrickBot to disk (Host Level)
      • #3191 – Pre-execution phase of trickbot malware (Host Level)
      • #3001 – Transfer of trickbot malware over HTTP/S (Infiltration)
      • #3000 – Write trickbot malware to disk (Host Level)
      • #2109 – Transfer of the TrickBot Malware over HTTP/s (Lateral Movement)
      • #3098 – Pre-execution phase of TrickBot Files malware (Host Level)
  • GootLoader
    • The newest malware on the list is a Loader malware that has been active since 2020. It is usually delivered as malicious files available for download on compromised websites that rank higher as search engine results. It is typically associated with the GootKit malware. GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first stage of a system compromise. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.
    • SafeBreach Coverage for GootLoader
      • (NEW) #7276 – Write GootLoader_Stager_1 malware to disk (Host-Level)
      • (NEW) #7277 – Transfer of GootLoader_Stager_1 malware over HTTP/S (Lateral Movement)
      • (NEW) #7278 – Transfer of GootLoader_Stager_1 malware over HTTP/S (Infiltration)
      • (NEW) #7279 – Email GootLoader_Stager_1 malware as a ZIP attachment (Lateral Movement)
      • (NEW) #7280 – Email GootLoader_Stager_1 malware as a ZIP attachment (Infiltration)
      • (NEW) #7281 – Write GootLoader Stager 2 malware to disk (Host-Level)
      • (NEW) #7282 – Transfer of GootLoader Stager 2 malware over HTTP/S (Lateral Movement)
      • (NEW)  #7283 – Transfer of GootLoader Stager 2 malware over HTTP/S (Infiltration)
      • (NEW) #7284 – Email GootLoader Stager 2 malware as a ZIP attachment (Lateral Movement)
      • (NEW) #7285 – Email GootLoader Stager 2 malware as a ZIP attachment (Infiltration)

What You Should Do Now

Attack methods related to US-CERT Alert AA22-216A are ready to run across your simulators. Simply go to the SafeBreach Attack Playbook, search for the relevant malware name, and select the attacks to run.

NOTE: The following actions have been recommended by CISA and ACSC to mitigate any threat originating from the above-listed malware strains:

  • Update software, including operating systems, applications, and firmware, on IT network assets.
  • Enforce multi-factor authentication (MFA) to the greatest extent possible and require accounts with password logins, including service accounts, to have strong passwords.
  • If you use RDP and/or other potentially risky services, secure and monitor them closely.
  • Maintain offline (i.e., physically disconnected) backups of data.
  • Provide end-user awareness and training to help prevent successful targeted social engineering and spearphishing campaigns.

Get the latest
research and news