Top Malware Strains and How to Mitigate Them

2022 was a year of seismic events, including the Russian-Ukrainian war and economic downturns, as well as the ongoing pandemic. These events had a significant impact on global businesses that were also affected by cybersecurity threats.

The cyber threat landscape was dominated by several high-profile cyberattacks, including Follina and Log4Shell exploits. These attacks serve as evidence that threat actors are not only keeping up with cybersecurity trends, but also have the latest technology to attack organizations. The US Cybersecurity and Infrastructure Security Agency (CISA) and Australian Cyber Security Centre have selected 11 malware families as their top threats. This list includes malware that has changed over the past 10 years, including banking trojans and remote access trojans. This article will discuss each top malware strain, how they may be delivered to your business, and tips for minimizing risks.

Top Malware Strains

Malware is malicious software that can harm computer systems. Some of the most common strains include:

Agent Tesla

Agent Tesla is a Remote Access Trojan (RAT) that is often delivered via phishing emails or malicious attachments. It is primarily used to steal sensitive information such as login credentials, keystrokes, and system information. The malware is capable of capturing screenshots, recording keystrokes, and stealing clipboard data. It can also disable anti-virus software and create backdoors for further attacks.

AZORult

AZORult is another RAT that is typically delivered through spam emails or as a payload in exploit kits. Once installed on a victim's computer, it can steal sensitive information such as passwords, cookies, and cryptocurrency wallets. It can also download additional malware and act as a backdoor for further attacks.

FormBook

FormBook is a keylogger and data stealer that is primarily delivered through phishing emails or malicious downloads. Once installed on a victim's computer, it can capture keystrokes, take screenshots, and steal sensitive information such as passwords, credit card numbers, and browser history. It is often used in targeted attacks against individuals and businesses.

Ursnif

Ursnif, also known as Gozi, is a banking Trojan typically delivered through spam emails or exploit kits. Once installed, it can steal banking credentials, login credentials, and other sensitive information. It is often used in targeted attacks against financial institutions and their customers.

LokiBot

LokiBot is a password and data stealer that is typically delivered through spam emails or as a payload in exploit kits. It can steal login credentials, credit card numbers, and other sensitive information. It is also capable of downloading additional malware and acting as a backdoor for further attacks.

MOUSEISLAND

MOUSEISLAND is a RAT that is typically delivered through phishing emails or as a payload in exploit kits. It can steal sensitive information such as passwords, login credentials, and system information. It is also capable of downloading additional malware and acting as a backdoor for further attacks.

NanoCore

NanoCore is a RAT that is typically delivered through phishing emails or as a payload in exploit kits. Once installed, it can steal sensitive information such as login credentials, system information, and keystrokes. It is also capable of downloading additional malware and acting as a backdoor for further attacks.

QakBot

QakBot, also known as QBot, is a banking Trojan that is typically delivered through spam emails or exploit kits. It can steal banking credentials, login credentials, and other sensitive information. It is often used in targeted attacks against financial institutions and their customers.

Remcos

Remcos is a RAT that is typically delivered through phishing emails or as a payload in exploit kits. Once installed, it can steal sensitive information such as login credentials, system information, and keystrokes. It is also capable of downloading additional malware and acting as a backdoor for further attacks.

TrickBot

TrickBot is a banking Trojan typically delivered through spam emails or exploit kits. It can steal banking credentials, login credentials, and other sensitive information. It is often used in targeted attacks against financial institutions and their customers.

GootLoader

GootLoader is a downloader that is typically delivered through spam emails or malicious websites. It can download additional malware such as ransomware or banking Trojans. It is often used in targeted attacks against individuals and businesses.

In a 2021 advisory, CISA said, “​​Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate the theft of personal and financial information."

CISA’s Recommended Mitigations

CISA issued recommendations for organizations to improve their cybersecurity posture based on known adversary tactics, techniques, and procedures (TTPs) including: 

• Update software, including operating systems, applications, and firmware, and prioritize patching known exploited vulnerabilities and critical/high-severity vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
• Consider using a centralized patch management system and vulnerability scanning to reduce exposure to threats.
• Enforce MFA to the greatest extent possible and require strong passwords for accounts with password logins, including service accounts. Do not allow passwords to be used across multiple accounts or stored on a system accessible to adversaries.
• Secure and monitor potentially risky services like RDP closely, as RDP exploitation is a top initial infection vector for ransomware. Limit access to resources over internal networks, especially by restricting RDP and using the virtual desktop infrastructure.
• Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for business purposes.
• Maintain offline backups of data, conduct backup procedures on a frequent, regular basis (at a minimum every 90 days), and ensure backups are isolated from network connections that could enable the spread of malware.
• Provide end-user awareness and training to help prevent successful targeted social engineering and spear phishing campaigns, as phishing is one of the top infection vectors for ransomware.
• Ensure employees are aware of potential cyber threats and delivery methods, and know what to do and whom to contact when they receive a suspected phishing email or suspect a cyber incident.

Increase Cloud Email Attachment and Malware Protection

By preparing yourself properly, you can significantly reduce the cost and impact of an attack. You can also reduce the chances of email threats and minimize any damage caused by implementing stronger cybersecurity best practices. Some of these practices include:

Strengthen Your Email Security Strategy

Many companies think that just having endpoint security is enough to keep their data safe. Endpoint security is a good start, but it can't protect against new threats that are emerging. Businesses must have additional layers of protection in place and experts who can monitor and mitigate issues. This extra protection needs to be able to learn and adapt to new threats, and provide the information and insights needed to make educated decisions.

Protect Email With Sender Authentication

Sender authentication is a way to ensure that the email you receive is actually from the person or company that it claims to be from. This helps protect your email account from phishing and email fraud. Sender authentication can be implemented via three standards and protocols: SPF, DKIM, and DMARC. SPF helps prevent people from pretending to be someone else when they send an email. DKIM checks that the email you receive hasn't been changed or faked. DMARC combines SPF and DKIM to give domain owners more control over how their emails are handled. 

Invest in Fully-Managed Email Security Services

Fortifying business email against advanced attacks requires that organizations have a fully-managed email security solution with various layers of proactive protection in place. This solution must be designed to protect against specific threats, provide the level of expertise and support needed to safeguard sensitive data and detect and block threats in real-time. 

Ukraine Suffers Malware Attacks As War Continues

The cyber war between Russia and Ukraine escalated, with the Ukrainian government experiencing a surge in cyberattacks. A recent attack involved the infamous information-stealing malware strain, AgentTesla, which was delivered through a lure JPEG thumbnail related to the Russia-Ukraine war. The thumbnail referenced the Operational Command South (OC South), a Ukrainian military formation in the southern part of the country. Once the PPT file containing the malware was opened and the macro enabled, the malware spread to the targeted system, stealing credentials from web browsers and software programs like Microsoft Outlook.

This is not the first time Ukrainian government entities have been targeted with information-stealing malware. The UAC-0041 hacking collective was previously linked to the delivery of the AgentTesla spyware Trojan in earlier malicious operations against Ukraine. The latest attack also comes on the heels of a phishing campaign by the UAC-0056 group, which delivered Cobalt Strike Beacon.

Keep Learning About Malware Strains

Although different malware variants have different methods for spreading and infecting computers, the vast majority of malware is delivered via email. Because email plays a pivotal role in business and society, we are all at risk of getting hit with malware. Luckily, by implementing the tips and best practices shared in this article, you can mitigate the risk that malware poses to your business.

• Learn more about an effective email security solution that understands the relationships you have with other people while gaining a more profound knowledge of the types of conversations you have with them.
• Prepare your business for cyberattacks to make sure employees stay safe online.
• Improve your email security posture to protect against attacks and breaches by following best practices.
• Keeping the integrity of your email safe requires securing the cloud with spam filtering and enterprise-grade anti-spam services.
• Get the latest updates on how to stay safe online.