The US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) have picked 11 malware families as their top threats.
The list is made up of malware that has evolved over the past 10 years as banking trojans, remote access trojans, information stealers, and ransomware delivery tools.
The agencies listed the top malware strains of last year as Agent Tesla (information stealer), AZORult (information stealer), Formbook (information stealer), Ursnif (banking Trojan), LokiBot (Trojan credential stealer), MOUSEISLAND (ransomware delivery), NanoCore (credential stealer), Qakbot (multipurpose trojan), Remcos (remote access trojan), TrickBot (multipurpose trojan/ransomware delivery), and GootLoader (multi-payload malware platform).
The malware on the list is used primarily for financial gain rather than, say, cyber espionage. “The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information,” notes CISA in the advisory.
Some, like TrickBot, started as a banking trojan but evolved into a modular malware and have since served as access brokers for ransomware groups, such as the notorious Conti gang, by using its network of already compromised machines.
CISA also offers an overview of how the malware ecosystem functions and how the industry’s actors continue to fund, support and improve their malicious software.
“Many malware developers often operate from locations with few legal prohibitions against malware development and deployment. Some developers even market their malware products as legitimate cyber security tools,” CISA notes.
CISA’s advisory serves as a useful resource with links to official US government technical briefings about each malware strain. It includes a summary of their main capabilities, the date it has been active since, its malware classification, and delivery method.
Trickbot, at one point the world’s largest botnet, has been active since 2016 and in October 2020 was targeted by Microsoft and its partners for a technical and legal takedown. That month, the US military’s Cyber Command unit had also reportedly run a campaign against Trickbot. CISA also warned Trickbot was planning an attack on US healthcare sector organizations. Despite these efforts, CISA notes that Trickbot remains active as of July 2022.
“TrickBot malware is often used to form botnets or enabling initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware,” the advisory states.
“In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Based on information from trusted third parties, TrickBot’s infrastructure is still active in July 2022.”
CISA recommends organizations patch all systems and prioritize patching known exploited vulnerabilities. It also recommends enforcing multi-factor authentication and securing remote desktop protocol (RDP) services.
CISA in April published the top 15 routinely exploited vulnerabilities, which included the ProxyShell and ProxyLogon Exchange email servers vulnerabilities, bugs in virtual private network (VPN) endpoints, and the Apache Log4j Log4Shell flaw.