Top 11 Malware Strains of 2021 — and How to Stop Them

The top 11 malware strains observed in 2021 can steal your company’s data, remotely access your network, or maybe trigger a ransomware attack. That’s according to a new inter-agency report that analyzed the most prevalent malware threats.

And although most of these malware strains have been around for more than five years, cyber criminals are constantly evolving their code to get new variations. This trend is actually helpful for network defenders because when threat actors continue to use known malware strains, it gives organizations a better chance of identifying and containing these attacks.

The list of the top 11 malware variants

The Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber ​​Security Center (ACSC) recently created this list, and the BlackBerry Threat Research team has done extensive research into how many of these malware strains can be prevented from access and damage your environment. We will reference that work in this post, and in most cases, BlackBerry® resources include Indicators of Compromise (IoCs) and YARA rules.

Here are the top malware strains observed in 2021, summarized for easy scanning to help you protect your business:

1. Agent Tesla RAT

description: Agent Tesla is able to steal data from email clients, web browsers and FTP (File Transfer Protocol) servers. This malware can also capture screenshots, videos, and data from the Windows® clipboard. Agent Tesla is available online under the guise of being a legitimate tool to manage your PC.

BlackBerry resources: Agent Tesla Infostealer and BlackBerry prevent Agent Tesla malware attacks.

2. AZORult Trojan

description: AZORult is used to steal information from compromised systems. It was sold on underground hacking forums to exfiltrate browsing data, user credentials, and cryptocurrency information.

BlackBerry resources: Analyzing AZORult Infostealer malware and the Department of Health (HHS) AZORult letter.

3. FormBook Trojan

description: FormBook is an information thief promoted on hacking forums. FormBook can perform keylogging and capture browser or email client passwords.

BlackBerry resources: xLoader Infostealer (formerly sold as FormBook) and BlackBerry prevents xLoader Infostealer.

4. Ursnif Trojan

description: Ursnif is a banking Trojan that steals financial information. Ursnif, also known as Gozi, has evolved over the years to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and a disk encryption software search function to attempt to extract keys to decrypt files.

BlackBerry resources: Ursnif InfoStealer Malware and Cylance vs. URSNIF Infostealer.

5. LokiBot Trojan

description: LokiBot is a malware Trojan designed to steal sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game.

BlackBerry resources: Mystery Bot: Do you do your banking on your phone? and also see CISA’s LokiBot malware alert.

6. MOUSEISLAND Downloader

description: MOUSEISLAND is usually found in the embedded macros of a Microsoft® Word document and can download other payloads and can sometimes be the initial phase of a ransomware attack.

BlackBerry resources: Macros, block or not block and see MOUSEISLAND on Malpedia.

7. NanoCore RAT

description: NanoCore is used to steal victims’ information, including passwords and emails. NanoCore could also allow malicious users to activate computers’ webcams to spy on victims.

BlackBerry resources: See .NET Stubs: Sowing the Seeds of Discord and the HHS publication Remote Access Trojan Nanocore Poses Risk to HPH Sector.

8. Qakbot Trojan

description: Originally observed as a banking Trojan, Qakbot has evolved in its abilities to perform reconnaissance, move laterally, collect and exfiltrate data, and deliver payloads. Qakbot, also known as QBot or Pinksliplot, is modular and allows malicious cyber actors to configure it according to their needs.

BlackBerry resources: The Return of Qakbot Malware and Cylance vs. Qakbot Malware.

9. Remcos RAT

description: Remcos is marketed as a legitimate remote management and penetration testing software tool. Remcos, short for Remote Control and Surveillance, was used by malicious cyber actors who ran mass phishing campaigns to steal personal information and credentials during the COVID-19 pandemic. Remcos installs a backdoor on a target system, which malicious actors can then use to issue commands and gain administrative privileges – all while bypassing antivirus products, maintaining persistence, and running as legitimate processes.

resources: See the MITER ATT&CK page on Remcos.

10. TrickBot

overview: TrickBot malware is often used to form botnets or to give initial access to the Conti ransomware or the Ryuk banking Trojan. Developed and operated by a sophisticated group of malicious cyber actors, TrickBot has evolved into a highly modular, multi-tiered malware threat. In 2020, cyber criminals used TrickBot to attack healthcare and public health (HPH) systems, then launched ransomware attacks, exfiltrated data, or disrupted health services.

BlackBerry resources: TrickBot Infostealer malware and Cylance vs. Smoke Loader and the Trickbot Trojan. See also Joint CSA on TrickBot malware.

11. GootLoader

description: GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader evolved from downloading a specific malicious payload to a multi-payload malware platform. As a loader, GootLoader is usually the first stage of a system compromise. Leveraging search engine poisoning, GootLoader developers can create or compromise websites that rank high in search engine results such as Google search results.

BlackBerry resources: GootLoader, From SEO poisoning to multi-stage downloader.

CISA recommended malware mitigations

The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the following measures to mitigate against malware attacks and placed good cyber hygiene at the top of the list:

  • Applying timely patches to systems
  • Patch all systems, especially for known exploited vulnerabilities
  • Implement user training
  • Secure Remote Desktop Protocol (RDP)
  • Create offline backups of data
  • Enforce multi-factor authentication (MFA).

BlackBerry protects against malware

CylancePROTECT® provides automated malware prevention, application and script control, memory protection, and device policy enforcement. This AI-based endpoint protection platform (EPP) blocks cyberattacks and provides controls to protect against sophisticated threats – no human intervention, internet connections, signature files, heuristics or sandboxes required.

And CylanceGUARD® is a subscription-based 24×7 Managed Extended Detection and Response (XDR) service. Our experienced analysts act as an extension of your team, correlating telemetry data across devices and delivering actionable intelligence to quickly prevent threats while minimizing alert fatigue.

Leave a Reply

Your email address will not be published. Required fields are marked *