IT security: most widespread malware strains in 2021

The Australian Cyber ​​Security Center and the US IT security authority CISA have published a list of the most common malware strains in 2021. Most malware falls into the categories of remote access trojans (RATs), banking trojans, information stealers and ransomware.

According to the authorities, most strains have been in use for more than five years, with their code base evolving in several variations. The most “prolific” were cybercriminals who use the malware to deliver ransomware or steal personal and financial information.

The most widespread malware

The IT security experts found Agent Tesla, AZORult, Formbook, GootLoader, LokiBot, Mouseisland, NanoCore, Qakbot, Remcos, TrickBot and Ursnif malware strains most frequently. Of these, Qakbot and Ursnif have been active for over a decade, and with the exception of GootLoader and Mouseisland, the other malware strains have been encountered for at least five years.

The malware programmers developed the malicious code further and thus achieved longevity. However, reusing old code from known malware strains makes it easier for organizations to be better prepared to detect and defend against malware attacks.

Different goals

QakBot and TrickBot are used to build botnets and are developed and operated by Eurasian cybercriminals. They are known to use and sell the botnet-based accesses to carry out highly lucrative ransomware attacks. The Eurasian masterminds enjoyed the permissive environments of Russia and other former Soviet republics.

According to US official reports, the TrickBot malware often opens initial access for Conti ransomware. This was used in around 450 global ransomware attacks in the first half of 2021.

With Agent Tesla, Formbook and Remcos, cybercriminals would also have launched large-scale phishing campaigns in 2021 using the COVID-19 pandemic as a hook. They wanted to steal personal data and access data from companies and individuals.

Low risk of consequences

The malware creators benefited from lucrative cyber operations with low risk of negative consequences. Many operate from locations where there are few legal prohibitions against malware development and distribution. Some even market their malware as legitimate cyber security tools.

The programmers of Agent Tesla and Remcos would offer the malware as legitimate remote administration and pentesting tools. Malicious cyber actors purchase the malware online for cheap and have been observed using the tools for malicious purposes.

In their joint security notification, the cyber security authorities list details on the individual malware families and finally provide information on protection against infestation. The usual tips can be found here: Install updates quickly, use multi-factor authentication, constantly monitor them for anomalies when using risky services such as RDP, keep offline backups of the data and train employees.