Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News

CISA, ACSC disclose malware strains used to deliver ransomware, facilitate information theft

August 05, 2022
CISA, ACSC disclose malware strains used to deliver ransomware, facilitate information theft

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) provided details of the top malware strains observed in 2021, which hackers used to deliver ransomware or facilitate the theft of personal and financial information. Remote access trojans (RATs), banking trojans, information stealers, and ransomware were covered. Most of the top malware strains have been in use for more than five years, with their respective code bases evolving into multiple variations. 

“The top malware strains of 2021 are Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader,” CISA and ACSC said in their advisory on Thursday. Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBotfor at least five years. In contrast, it added that they have used Qakbot and Ursniffor for more than a decade. 

Updates made by malware developers, and the reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations. Additionally, malicious actors’ use of known malware strains offers organizations opportunities to better prepare, identify, and mitigate attacks from these known malware strains.

The advisory disclosed the most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate the theft of personal and financial information. “The Qakbot and TrickBot are used to form botnets and are developed and operated by Eurasian cybercriminals known for using or brokering botnet-enabled access to facilitate highly lucrative ransomware attacks, the advisory said. Eurasian cyber criminals enjoy permissive operating environments in Russia and other former Soviet republics,” it added.

The CISA-ACSC advisory said that the U.S. government reported that TrickBot malware often enables initial access for Conti ransomware, which was used in nearly 450 global ransomware attacks in the first half of 2021. Additionally, as of 2020, malicious cyber actors have purchased access to systems compromised by TrickBot malware on multiple occasions to conduct cybercrime operations. 

Last month, IBM Security X-Force uncovered evidence indicating that the Russia-based cybercriminal syndicate ‘Trickbot group’ has been systematically attacking Ukraine since the Russian invasion. The attacks marked an unprecedented shift as the group had not previously targeted Ukraine and came following ongoing research by the team. Such a threat landscape requires organizations to ensure that anti-virus software and associated files are up to date, search for existing signs of the indicated IOCs in their environment, and consider blocking and/or setting up detection for all URL IP-based IOCs. 

“In 2021, cybercriminals conducted mass phishing campaigns with Formbook, Agent Tesla, and Remcos malware that incorporated COVID-19 pandemic themes to steal personal data and credentials from businesses and individuals,” the CISA-ACSC advisory said. In addition, it added that in the criminal malware industry, including malware as a service (MaaS), developers create malware that malware distributors often broker to malware end-users.

The guidance said that the developers of these top 2021 malware strains continue to support, improve, and distribute their malware over several years. As a result, malware developers benefit from lucrative cyber operations with a low risk of negative consequences. In addition, many malware developers operate from locations with few legal prohibitions against malware development and deployment. Some developers even market their malware products as legitimate cyber security tools.

Commenting on the CISA-ACSC advisory, Satnam Narang, senior staff research engineer at Tenable, said that the guidance highlights the top malware strains being used in attacks for financial gain (banking trojans) and to facilitate ransomware attacks across a variety of industries. “The primary delivery mechanism for most malware strains is malicious emails, either as part of attachments directly within emails or external hyperlinks to download a variety of file types, including ZIP archives and ISO files. These include spearphishing campaigns, one of the primary ways that ransomware affects organisations today,” he added.

“Understanding how these malware strains are delivered can help provide organisations with the knowledge they need to defend against these types of attacks,” Narang said. “There’s no single solution that can prevent these types of attacks, which is why it is increasingly important for organisations to use a multifaceted approach, including end-user awareness and training, using anti-virus and anti-malware solutions and secure email gateways, and requiring multifactor authentication for all accounts within your organisation,” he added.

The CISA-ACSC advisory calls upon critical infrastructure organizations to prepare for and mitigate potential cyber threats immediately by patching all systems, prioritizing known exploited vulnerabilities, and enforcing multifactor authentication (MFA). It also recommended securing and monitoring RDP and other potentially risky services, making offline data backups, and providing end-user awareness and training about social engineering and phishing.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns