CISA Sheds Light On Last Year’s Top Malware Strains

August 08, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) provided insight on the top malware threats of 2021 in its latest advisory. Co-authored by the Australian Cyber Security Centre (ACSC), the advisory detailed 11 top malware strains, their delivery methods, and mitigation tactics.

“Malware, short for ‘malicious software,’ can compromise a system by performing an unauthorized function or process,” the advisory explained.

“Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.”

The advisory shed light on the following malware strains, all used by cyber criminals to deliver ransomware or facilitate data exfiltration or theft:

• Agent Tesla
• AZORult
• Formbook
• Ursnif
• LokiBot
• MOUSEISLAND
• NanoCore
• Qakbot
• Remcos
• TrickBot
• GootLoader

Most of 2021’s top malware strains have been consistently used for five years or more, and they range from remote access Trojans to information stealers, ransomware, and banking Trojans. Qakbot and Ursnif have been used on some shape or form for more than a decade, CISA said.

TrickBot, which is known to enable initial access for the notorious Conti ransomware and Ryuk banking trojan, poses a threat to healthcare in particular. TrickBot has been active since 2016 and is usually delivered via email as a hyperlink.

“In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services,” the advisory explained.

“Based on information from trusted third parties, TrickBot’s infrastructure is still active in July 2022.”

Conti ransomware was used in almost 450 global ransomware attacks in the first half of 2021 alone, the alert stated.

Qakbot, like TrickBot, is used to form botnets and is developed and operated by Eurasian cyber criminals “known for using or brokering botnet-enabled access to facilitate highly lucrative ransomware attacks.”

Qakbot is often delivered via email as malicious attachments, embedded images, or hyperlinks. HHS released a threat brief about the risk of Qakbot in the healthcare sector in October 2020.

“CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA,” the advisory urged.

“These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).”

In addition, the advisory encouraged all organizations to maintain offline data backups, provide end-user awareness and training programs, and implement network segmentation to separate networks based on role and functionality.