2021 Top Malware Strains - Analysis and Simulation

US CISA (Cybersecurity and Infrastructure Security Agency) and ACSC (Australian Cyber Security Centre) issued a joint Cybersecurity Advisory (AA22-216a) in August 2022, highlighting the top malware strains observed in 2021. The objective of this joint advisory is to assist the cybersecurity community in mitigating the risk posed by these malware families. In this blog, we provided information about each top malware strain and how to simulate them to help the cybersecurity community.

Simulate Top Malware Strains with 14-Day Free Trial of Picus Platform

Top Malware List

1. Agent Tesla
2. AZORult
3. FormBook
4. Ursnif
5. LokiBot
6. MOUSEISLAND
7. NanoCore
8. QakBot
9. Remcos
10. TrickBot
11. GootLoader

2021 Top Malware Strains

Cyber threat actors develop and distribute various types of malware to achieve their malicious objectives. According to CISA, remote Access Trojans (RATs), information stealers,banking trojans, and macro downloaders were prevalent malware types observed in 2021. Even though many of these malware strains have been seen in the wild for more than five years, malware developers have been improving and evolving them into new variants. Financially motivated cyber threat groups adopted these malware strains into their ransomware campaigns. 

Since malware is an important cyber attack vector, Picus recommends organizations to test their security posture against malware attacks and mitigate identified security gaps with the security control validation approach.

1. Agent Tesla

Malware Type: Remote Access Trojan (RAT)
First Seen: 2014
Distribution Method: Phishing

Agent Tesla is a .NET-based RAT and infostealer Trojan used by various threat actors. Its developers have been actively developing, improving, and adding new features, functionalities, encryption, and obfuscation methods since at least 2014. 

As an infostealer, Agent Tesla can steal credentials from many applications and data sources. As an example, Lokibot APT group has successfully stolen credentials using the Agent Tesla RAT in their attacks. The credentials are stolen from data sources, such as Windows OS, FTP/SFTP clients, email clients, and web browsers.

Adversaries often use the T1566.001 Spearphishing Attachment technique to distribute Agent Tesla RAT. In general, the attachment used in the phishing email contains an obfuscated Rich Text Format (RFT) file, which exploits a very well-known vulnerability (CVE-2017-11882) to deliver spyware. Even though Microsoft patched this vulnerability in 2017, it is still popularly used by hackers.

In the analysis of one of these phishing emails, researchers found a tricky technique that attackers use to bypass the security controls. In the figure below, you can see how the attackers leveraged the “\objupdate” control word.

Figure 1. AntiVM Check Done by Agent Tesla RAT [1].

This way, the objects within this RTF file do not need the victim to display the file to be updated. In other words, objects within the file can be loaded without the victim clicking on the file. Since attackers use Object Linking and Embedding, and many other control words, they remain unknown to parsers. Since parsers ignore the unknown, the malicious file goes undetected by the security controls.

It is known that Agent Tesla goes through 4 layers of unpacking. 

1. Obfuscated RTF File
2. The Executable Agent Tesla Payload
3. First DLL payload
4. Final DLL payload

What’s worth mentioning is that between some steps, a couple of techniques are performed to evade detection and impede analysis. Below, you can see how the first DLL payload performs an Anti VM and Anti Sandbox checker before it retrieves the final DLL. If the antiVM and antiSandBoxie checkers return the True Boolean, the payload stops the process and does not deliver the next stage.

Figure 2. AntiVM Check Done by Agent Tesla RAT [1].

Picus Threat Library includes the following attack simulations for Agent Tesla malware attacks.

2. AZORult

Malware Type: Infostealer Trojan
First Seen: 2016
Distribution Method: Phishing, Drive-by Compromise, Exploit Kits, Dropper

AZORult is an infostealer Trojan used to steal information like browser data, cryptocurrency information, and user credentials from compromised endpoints. AZORult trojan is a commercial one; in other words, its developers have constantly been updating and selling it on underground hacker forums and dark web markets. 

AZORult has been observed dating back to 2016 in the wild, and it is famous for being used in a spearphishing campaign against targets in North America in July 2018. Adversaries get initial access through phishing emails, infected websites, exploit kits, etc. After the initial infection, AZORult drops itself in the  "C:\Users\MalWorkstation\AppData\Local\Temp\" folder under a random looking name, Xzegdxbuoconsoleapp3.exe. (The reader needs to keep in mind that filenames are not fixed, and prone to change over time.)  WScript.exe runs the Xzegdxbuoconsoleapp3.exe from the Temp folder via VB Script.

Further analysis shows that the AZORult file contains a “Resources” folder containing an encrypted file called Srpccwbxdhrzif. This malicious file is encrypted using the Triple DES (3DES) algorithm with ECB cipher mode [2]. Below, you can find the particular piece of source code of the Srpccwbxdhrzif file that shows the 3DES implementation.Figure 3. Source Code of Srpccwbxdhrzif [2]

This malicious file decrypts itself in memory as a Srpccwbxdhrzif.dll (a 32-bit .NET-based DLL file) using the hardcoded key within the main malware. 

The code used to maintain the communication between the infected host and the command and control server (C2) lies within the Srpccwbxdhrzif.dll file. Xzegdxbuoconsoleapp3.exe drops support DLL files.

The following AZORult malware attacks are included in the Picus Threat Library.

3.  FormBook

Malware Type: Infostealer Trojan
First Seen: 2016
Distribution Method: Phishing

FormBook is an infostealer malware that has been advertised on underground hacker forums and dark web markets as a Malware-as-a-Service. Its developers constantly update it to exploit the latest remote code execution vulnerabilities like CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability. 

It is primarily known for affecting 4% of organizations worldwide and becoming one of the top three trending malware in 2020. It is assumed to be the XLoader malware's predecessor. Due to its infostealer nature, FormBook monitors keystrokes, harvests browser and email clients' credentials, drops files,  downloads and executes stealthier malware from the C2 service. The initial access is mainly performed through phishing email containing a malicious attachment file with common extensions like pdf, pps, doc, exe, zip, rar, etc. 

Figure 4. The Phishing Email Sent to Deliver the FormBook Trojan [3].

FormBook is used in many large-scale campaigns targeting particular industries like defense and aerospace. In 2022, during the war between Russia and Ukraine, many Ukrainian targets were attacked by cyber threat actors using the FormBook malware. 

Picus Threat Library includes the following FormBook malware threats for attack simulation.

4. Ursnif 

Malware Type: Banking Trojan
First Seen: 2007
Distribution Method: Phishing

Ursnif, which might be known as Gozi, is one of the widely used banking Trojans that steal financial information. In 2015, its source code got linked to GitHub. Since the code is accessible online, other malware developers and cyber threat actors update and improve the Ursnif by adding new features like persistence mechanisms and methods to avoid sandboxes and virtual machines. According to third-party information, its infrastructure is still active as of July 2022. 

The initial access is usually performed via a phishing mail with a macro enabled XML attachment. Content of this XML is often related to a shipping company called DHL. Again, the reader needs to keep in mind that the content of the phishing emails and attachments can change at any time.

Once the victim enables the macro, it downloads and executes a malicious binary using the embedded URL within the malicious XML file. Figure 5. Enable Content Warning in the Malicious XML File

After the malicious binary is executed, it retrieves the handle of the explorer.exe process and it calls the UpdateProcThreadAttribute, a function that updates the specified attribute in a list of attributes for process and thread creation [4], to perform parent PID (PPID) spoofing. Below, you can see how the dropped malware (1440.exe) spoofes its parent process as explorer.exe to disguise itself under a legitimate process to bypass security controls.

Figure 6. PPID Spoofing Done by the Ursnif Banking Trojan [5].

Like Agent Tesla, Ursnif loader performs multiple layers of unpacking that happens in memory. It uses the Asynchronous Procedure Call process injection technique to execute arbitrary code within another thread of a current process. Once the final loader gets in control, it decrypts the particular section within the malware containing required configuration details (string formats used to send data to C2 server, PowerShell commands, API names, libraries, etc.) for further actions.

Picus Threat Library includes the following attack simulations for Ursnif malware attacks.

5. LokiBot

Malware Type: Infostealer Trojan
First Seen: 2015
Distribution Method: Phishing

LokiBot is an infostealer malware that was first developed in 2015. Even though it is not brand-new malware, it is still quite popular among malicious adversaries today. LokiBot is mainly used for harvesting user credentials, cryptocurrency wallets, etc. It is known that LokiBot malware steals credentials using a keylogger to monitor browser and desktop activity. 

A new variant of LokiBot, 2020, was disguised as a popular game launcher for the Fortnite multiplayer video game. It is known that LokiBot presents itself as an installer of the Epic Game store, which is the publisher of Fortnite. After the victim downloads the installer, two files (C# source code and .NET executable) are dropped on the host. In the last stage, LokiBot is downloaded and installed.

Attackers generally use LokiBot to target Android and Windows operating systems, and initial access is done via phishing emails, private messages, malicious websites, texts, etc.

Picus Threat Library includes the following attack simulations for LokiBot malware attacks.

6. MOUSEISLAND 

Malware Type: Macro Downloader
First Seen: 2019
Distribution Method: Phishing

MOUSEISLAND is a Microsoft Word macro downloader. It is usually delivered embedded within an innocent-looking Microsoft Word document or a password-protected zip with a how-to-open instruction file attached to a phishing email. 

Figure 7. MOUSEISLAND Phishing Email

MOUSEISLAND malware is considered to be the initial phase of a ransomware attack as it downloads other types of malware and payloads. For instance, after the victim opens the password-protected file (the password is provided in the email body), embedded macros within the MOUSEISLAND document downloads PHOTOLOADER malware. PHOTOLOADER has been observed to act like a go-between dropper as it downloads and decrypts ICEDID, which creates a backdoor to the victim host.  

7. NanoCore

Malware Type: Remote Access Trojan
First Seen: 2013
Distribution Method: Phishing

NanoCore is an infostealer trojan that provides attackers details about the target OS and the device name. Using this highly sensitive information, attackers can carry out many malicious activities like stealing login credentials, hijacking the webcam and microphone to spy on the victim, manipulating the configuration files, etc.

NanoCore can get its initial access via multiple methods. In many cases, it is seen that malicious RTF file attachment is sent to the victim’s Outlook. For instance, in 2015, targeted email addresses in energy companies in Asia and the Middle East received a spoofed email. The email looked legitimate under a spoofed address of a South Korean oil company. 

Once victims downloaded the malicious RFT attachment file, the NanoCore trojan was dropped in their system without any detection on the endpoint devices. After they got their initial access to the target system, attackers stole the Office 365 user credentials through the use of a keylogger to gain access to sensitive financial data. Then, this sensitive information is moved to remote servers owned by attackers. In the final stage, attackers demand ransom to move the stolen Office 365 data back.

Email attachments can come in many forms, like MS Office documents. PowerPoint is mainly used to drop NanoCore RAT by the attackers. Moreover, ZIP file structures and ISO files are also used by attackers to bypass the email gateways. 

Figure 8. Phishing Mail with a Malicious PowerPoint Attachment [6]

Picus Threat Library includes the following NanoCore malware attack simulations.

8. QakBot

Malware Type: Banking Trojan
First Seen: 2007
Distribution Method: Phishing

QakBot, which might be known as QBot and QuackBot, was first discovered in 2007. Even though it was initially designed to be a banking trojan, its developers continuously maintained and updated it for over a decade. Due to its nature, its primary purpose is to steal banking credentials like logins, passwords, etc. Even though it is a banking trojan, credential stealing is not its only functionality. QakBot has evolved in its capabilities like reconnaissance and spying on financial operations, lateral movement and spreading itself on many different endpoints, exfiltrating data, and installing payloads on the compromised systems. QuakBot uses the following command to execute the Xertis.dll by the SYSTEM user (/RU "NT AUTHORITY\SYSTEM") via regsvr32.exe between the identified time interval (/ST 23:45 /ET 23:57), then deletes the task upon the completion of its schedule (/Z parameter). So, QakBot uses this command for defense evasion.

In recent years, it has been used as a Malware-as-a-Service botnet in today’s many critical and widely performed ransomware campaigns. QakBot gets its initial access through use of an email with a malicious attachment, embedded images and hyperlinks. 

Picus Threat Library includes the following attack simulations for QakBot malware attacks.

9. Remcos

Malware Type: Remote Access Trojan
First Seen: 2016
Distribution Method: Phishing

Remcos (an abbreviation for Remote Control and Surveillance) is a sophisticated remote access trojan marketed as a legitimate software for penetration testing and remote management of Windows systems. However, the truth was bitter as it gave attackers full control of the Windows machines from XP to newer versions.

It was used in mass phishing campaigns during the COVID-19 pandemic. Victims received a CoronaVirus-themed phishing email with an innocent-looking pdf containing CoronaVirus safety guidelines. Unfortunately, a malicious executable for the Remcos RAT and VBS file, which was responsible for the execution of the malware, was embedded within the pdf.

Once the initial access is completed and the backdoor is installed onto the target system, it collects OS, user, and process information to send it to a remote server owned by the attackers. It is known that attackers use the Remcos backdoor to run commands and perform privilege escalation by injecting the malware into legitimate Windows processes to bypass antivirus products. 

Figure 9. Phishing Mail with a Malicious CoronaVirus-themed PDF Attachment [7].

Picus Threat Library includes the following Remcos malware attack simulations.

10 .TrickBot

Malware Type: Banking Trojan
First Seen: 2016
Distribution Method: Phishing

TrickBot, which might be known as TrickLoader, is a banking trojan that targets financial services and businesses to steal banking information, consumer data, user credentials, and personally identifiable information (PII). The reader should not see TrickBot as a simple credential stealer as it contains sophisticated functionalities. TrickBot can be used to drop other malware like Ryuk malware, or it can be used to move laterally and gain a foothold within the target network using known exploits (generally SMB exploits like EthernalBlue, EthernalRomance, or EthernalCamphion), making a discovery on documents and media files on the compromised host.

TrickBot gets its initial access through embedded links or emails with malicious attachments. In some scenarios, it is seen that the infected email has a tax-themed context. In recent years, adversaries have been known to target specific users like Outlook or T-mobile users. The developers even added an Outlook module within the malware to harvest user credentials.

For instance, in 2020, adversaries used TrickBot malware to target the Healthcare and Public Health (HPH) Sector to launch ransomware attacks or even to disrupt healthcare services. It is known that TrickBot’s infrastructure is still active in July 2022.

Picus Threat Library includes the following attack simulations for TrickBot malware attacks.

11. GootLoader

Malware Type: Remote Access Trojan
First Seen: 2020
Distribution Method: Drive-by Compromise

GootLoader is originally a malware loader. It is used as an initial access method to download another malware, the GootKit RAT and known to be the precursor to other threats like Cobalt Strike red-team tool and the REvil ransomware.

For initial access, adversaries perform search engine poisoning. The flow of the search engine poisoning attack is given below [8].

• SEO Poisoning: Developers of GootLoader creates web pages which are highly ranked in search engines like Google. 

• Leading to the Landing Page: Victims are led to this “fake” but highly ranked web page for a specific document or a template they are looking for. The web page that the victims are led to is the landing page of the GootLoader. 

• Directing to the Fake Forum: On this landing page, victims are presented a fake forum page containing a link to the document that the victim was looking for. 

• Downloading the .zip File: Victim clicks on this link and a .zip file is downloaded to their system. 

• Executing the JavaScript Code: The victim opens the malicious JavaScript code masqueraded under the document that the victim wanted to download. This file has a .js extension. Once the user double clicks on the file, .js code gets executed. 

• Execution of the GootLoader: Windows executes the .js file using the Windows script host process, which leads to execution of the GootLoader.

Picus Threat Library includes the following GootLoader malware attack simulations.

References

[1] https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work

[2] https://blog.cyble.com/2021/10/26/a-deep-dive-analysis-of-azorult-stealer/

[3]https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I 

[4]https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute 

[5]https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks 

[6]https://spanning.com/blog/nanocore-rat-malware-of-the-month/ 

[7]https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null 

[8]https://www.esentire.com/security-advisories/increase-in-gootloader-malware