Protecting your business from the top malware

Published on the 09/08/2022 | Written by Heather Wright


They’re not new, but they’re evolving…

Malware that has been in circulation for more than five years makes up most of the top malware observed last year – with two trojans in use for more than a decade.

“Updates and reuse of code contribute to the malware’s longevity and evolution into multiple variations.”

According to the newly released (albeit somewhat late) joint advisory from the Australian Cyber Security Centre and the United States Cybersecurity and Infrastructure Security Agency, remote access trojans, banking trojans, information stealers and ransomware topped the list, which names 11 malware strains and includes plenty of familiar names. 

“Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations,” the report notes.

Malicious cyber actors have used Agent Tesla, AZORult, Formbook, LokiBot, NanoCore, Remcos, and TrickBot for at least five years and Qakbot and Ursnif for more than a decade, the agencies note. 

Qakbot, also known as Qbot or Pinksliplot, was originally observed back in 2007 as a banking trojan but has since evolved with new capabilities to include reconnaissance, lateral movement in networks, exfiltration, and payload delivery.

“Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations,” the advisory says.

The 11 malware strains singled out in the report are Agent Tesla, AZORult, FormBook, Ursnif, LokiBot, Mouseisland, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.

Mouseisland and GootLoader are the only two ‘newcomers’.

Mouseisland is usually found in the embedded macros in Microsoft Word documents and can download other payloads. It’s been in circulation since at least 2019 and can be the initial phase of a ransomware attack.

GootLoader has been around since at least 2020 and as its name suggests is a malware loader historically associated with the GootKit malware. It has now evolved from a loader downloading malicious payloads into a multi-payload malware platform and it’s usually the first-stage of a system compromise, the advisory says. 

“By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results.”

Often employed by Eurasian cybercriminals ‘enjoying the permissive operating environments in Russia and other former Soviet republics’ Qakbot and TrickBot are used to from botnets to launch or facilitate ransomware attacks. 

The report notes TrickBot malware often enables initial access for Conti ransomware, which was used in nearly 450 global ransomware attacks in the first half of 2021. 

“As of 2020, malicious cyber actors have purchased access to systems compromised by TrickBot malware on multiple occasions to conduct cybercrime operations.”

Formbook, Agent Tesla and Remcos were harnessed in 2021 for widespread phishing campaigns incorporating Covid-19 themes to steal personal data and credentials from businesses and individuals. 

Nine of the 11 – Agent Tesla, FormBook, Ursnif, LokiBot, MouseIsland, NanoCore, Qakbot, Remcos, TrickBot – are often delivered via email, whether phishing emails or as attachments, hyperlinks, embedded images or as an ISO disk image within Zip files, highlighting that emails remain the number one attack vector, and the critical need for organisations to protect against the human factor. 

Cybersecurity vendor Tenable noted that overlap in the malware list and a list of the most exploited vulnerabilities of 2021. 

An April report from CISA, ACSC, the New Zealand National Cyber Security Centre and several other agencies noted 36 frequently exploited vulnerabilities. Four of them are represented in malware on the list, with two more released after the relevant time frame. 

“The continued exploitation is troubling evidence that organisations are leaving these flaws unremediated,” Tenable says

Indeed, patching, and other basic cyber hygiene methods, top the list of mitigations according to CISA and ACSC. 

They recommend:

Keeping software updated, including operating systems, applications and firmware, and prioritising patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution and denial of service on internet-facing equipment. 

Enforcing MFA ‘to the greatest extent possible’ and requiring strong passwords. Don’t allow passwords to be used across multiple accounts or stored on a system potentially accessible to attackers.

Securing and monitoring any remote desktop protocol instances – RDP is one of the top initial infection vectors for ransomware and can allow access to sessions using an on-path attacker. If RDP is operationally necessary, restrict originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor all remote access and RDP login attempts, lock out accounts after a specified number of attempts to block brute force attempts and disable unused RDP ports.  

Maintaining offline – physically disconnected – backups of data and ensuring backup keys are kept offline as well and all backup data is encrypted, immutable and covers the entire data infrastructure with a focus on key data assets.

Providing end-user awareness and training – it’s that human factor protection. Ensure staff are aware of cyberthreats and delivery methods and know what to do and who to contact when they receive a suspected phishing email or suspect a cyber incident.

Longer term, CISA and ACSC recommend implementing network segmentation to separate network segments based on role and functionality.

“The ACSC has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions outside their control.”

Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling data flows between, and access to, subnetworks. 

The advisory also includes snort signatures for the listed malware strains with the exception of GootLoader for which no signature is available. 

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

MORE NEWS:

Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...
ErrorHere