8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
9.9 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Immediate Actions You Can Take Now to Protect Against Malware:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication (MFA).
• Secure Remote Desktop Protocol (RDP) and other risky services.
• Make offline backups of your data.
• Provide end-user awareness and training about social engineering and phishing.
This joint Cybersecurity Advisory (CSA) was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). This advisory provides details on the top malware strains observed in 2021. Malware, short for “malicious software,” can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.[1]
In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.
CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA. These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).
Download the PDF version of this report: pdf, 576 kb
The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.
Updates made by malware developers, and reuse of code from these malware strains, contribute to the malware’s longevity and evolution into multiple variations. Malicious actors’ use of known malware strains offers organizations opportunities to better prepare, identify, and mitigate attacks from these known malware strains.
The most prolific malware users of the top malware strains are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.
In the criminal malware industry, including malware as a service (MaaS), developers create malware that malware distributors often broker to malware end-users.[2] Developers of these top 2021 malware strains continue to support, improve, and distribute their malware over several years. Malware developers benefit from lucrative cyber operations with low risk of negative consequences. Many malware developers often operate from locations with few legal prohibitions against malware development and deployment. Some developers even market their malware products as legitimate cyber security tools. For example, the developers of Remcos and Agent Tesla have marketed the software as legitimate tools for remote management and penetration testing. Malicious cyber actors can purchase Remcos and Agent Tesla online for low cost and have been observed using both tools for malicious purposes.
Below are the steps that CISA and ACSC recommend organizations take to improve their cybersecurity posture based on known adversary tactics, techniques, and procedures (TTPs). CISA and ACSC urge critical infrastructure organizations to prepare for and mitigate potential cyber threats immediately by (1) updating software, (2) enforcing MFA, (3) securing and monitoring RDP and other potentially risky services, (4) making offline backups of your data, and (5) providing end-user awareness and training.
As part of a longer-term effort, implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent the spread of ransomware and threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. The ACSC has observed ransomware and data theft incidents in which Australian divisions of multinational companies were impacted by ransomware incidents affecting assets maintained and hosted by offshore divisions outside their control.
The information in this report is being provided “as is” for informational purposes only. CISA and ACSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
Malware
|
Snort Detection Signature
—|—
Agent Tesla
|
alert any any -> any any (msg:”HTTP GET request /aw/aw.exe”; flow:established,to_server; sid:1; rev:1; content:”GET”; http_method; content:”/aw/aw.exe”; http_uri; reference:url, https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work; metadata:service http;)
AZORult
|
alert tcp any any -> any any (msg:“HTTP Server Content Data contains ‘llehS|2e|tpircSW’”; sid:1; rev:1; flow:established,from_server; file_data; content:“llehS|2e|tpircSW”; nocase; fast_pattern:only; pcre:“/GCM(?:\x20|%20)\W-O\/i”; reference:url,maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/; metadata:service http;)
AZORult
|
alert tcp any any -> any any (msg:“HTTP POST Client Body contains ‘J/|fb|’ and ‘/|fb|’”; sid:1; rev:1; flow:established,to_server; content:“POST”; http_method; content:“.php”; http_uri; content:“J/|fb|”; http_client_body; fast_pattern; content:“/|fb|”; http_client_body; depth:11; content:!“Referer|3a 20|”; http_header; metadata:service http;)
FormBook
|
alert tcp any any -> any any (msg:“HTTP URI POST contains ‘&sql=1’ at the end”; sid:1; rev:1; flow:established,to_server; content:“&sql=1”; http_uri; fast_pattern:only; content:“POST”; http_method; pcre:“/(?(DEFINE)(?‘b64std’[a-zA-Z0-9+/=]+?))(?(DEFINE)(?‘b64url’[a-zA-Z0-9_-]+?))^/[a-z0-9]{3,4}/?(?P>b64url){3,8}=(?P>b64std){40,90}&(?P>b64url){2,6}=(?P>b64url){4,11}&sql=1$/iU”; reference:url,www.malware-traffic-analysis.net/2018/02/16/index.html; metadata:service http;)
alert tcp any any -> any any (msg:“HTTP URI GET/POST contains ‘/list/hx28/config.php?id=’”; sid:1; rev:1; flow:established,to_server; content:“/list/hx28/config.php?id=”; http_uri; fast_pattern:only; content:“Connection|3a 20|close|0d 0a|”; http_header; reference:url,www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html; metadata:service http;)
Ursnif
|
alert tcp any any -> any any (msg:“HTTP POST Data contains .bin filename, long URI contains ‘/images/’”; sid:1; rev:1; flow:established,to_server; urilen:>60,norm; content:“/images/”; http_uri; depth:8; content:“POST”; nocase; http_method; content:“Content-Disposition|3a 20|form-data|3b 20|name=|22|upload_file|22 3b 20|filename=|22|”; http_client_body; content:“|2e|bin|22 0d 0a|”; http_client_body; distance:1; within:32; fast_pattern; reference:url,www.broadanalysis.com/2016/03/23/angler-ek-sends-data-stealing-payload/; metadata:service http;)
alert tcp any any -> any any (msg:“HTTP URI GET/POST contains ‘/images/’ plus random sub directories and an Image File (Ursnif)”; sid:1; rev:1; flow:established,to_server; content:“/images/”; http_uri; fast_pattern:only; content:!“Host: www.urlquery.net”; http_header; pcre:“//images(/(?=[a-z0-9\]{0,22}[A-Z][a-z0-9\]{0,22}[A-Z])(?=[A-Z0-9\]{0,22}[a-z])[A-Za-z0-9\]{1,24}){5,20}/[a-zA-Z0-9\_]+\.(?:gif|jpeg|jpg|bmp)$/U”; metadata:service http)
LokiBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)’”; sid:1; rev:1; flow:established,to_server; content:“User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)|0d 0a|”; http_header; fast_pattern:only; metadata:service http; )
LokiBot
|
alert tcp any any -> any any (msg:“HTTP URI POST contains ‘/*/fre.php’ post-infection”; sid:1; rev:1; flow:established,to_server; content:“/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:“POST”; nocase; http_method; pcre:“//(?:alien|loky\d|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|five\d?|donemy|animation\dkc|love|Masky|v\d|lifetn|Ben)/fre\.php$/iU”; metadata:service http;)
LokiBot
|
alert tcp any any -> any any (msg:“HTTP URI POST contains ‘/w.php/’”; sid:1; rev:1; flow:established,to_server; content:“/w.php/”; http_uri; fast_pattern:only; content:“POST”; nocase; http_method; pcre:“//\w+/w\.php/[a-z]{13}$/iU”; metadata:service http;)
MOUSEISLAND
|
alert tcp any any -> any any (msg:“HTTP URI GET contains ‘/assets/<8-80 hex>/<4-16 alnum>?<3-6 alnum>=’”; sid:9206287; rev:1; flow:established,to_server; content:“/assets/”; http_uri; fast_pattern:only; content:“HTTP/1.1|0d 0a|”; depth:256; content:!“|0d 0a|Cookie:”; content:!“|0d 0a|Referer:”; pcre:“//assets/[a-fA-F0-9/]{8,80}/[a-zA-Z0-9]{4,16}?[a-z0-9]{3,6}=/U”; metadata:service http;)
NanoCore
|
alert tcp any any -> any 25 (msg:“SMTP Attachment Filename ‘Packinglist-Invoice101.pps’”; sid:1; rev:1; flow:established,to_server,only_stream; content:“Content-Disposition|3a 20|attachment|3b|”; content:“Packinglist-Invoice101.pps”; nocase; distance:0; fast_pattern; pcre:“/Content-Disposition\x3a\x20attachment\x3b[\x20\t\r\n]+?(?:file)?name=\x22?Packinglist-Invoice101\.pps\x22*?/im”; reference:cve,2014-4114; reference:msb,MS14-060; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Body-FINAL.pdf; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Appendix-FINAL.pdf;)
NanoCore
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘Host|3a 20|frankief hopto me’ (GenericKD/Kazy/NanoCore/Recam)”; sid:1; rev:1; flow:established,to_server; content:“Host|3a 20|frankief|2e|hopto|2e|me|0d 0a|”; http_header; fast_pattern:only; metadata:service http;)
NanoCore
|
alert tcp any any -> any any (msg:“HTTP GET URI contains ‘FAD00979338’”; sid:1; rev:1; flow:established,to_server; content:“GET”; http_method; content:“getPluginName.php?PluginID=FAD00979338”; fast_pattern; http_uri; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI GET /t?v=2&c= (Qakbot)”; sid:1; rev:1; flow:established,to_server; content:“/t?v=2&c=”; http_uri; depth:9; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf;)
Qakbot
|
alert tcp any any -> any 21 (msg:“Possible FTP data exfiltration”; sid:1; rev:1; flow:to_server,established; content:“STOR si_”; content:“.cb”; within:50; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service ftp-ctrlchan;)
Qakbot
|
alert tcp any any -> any any (msg:“Malicious executable download attempt”; sid:1; rev:1; flow:to_client,established; file_type:MSEXE; file_data; content:“|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|”; fast_pattern:only; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP POST URI contains ‘odin/si.php?get&’”; sid:1; rev:1; flow:to_server,established; content:“/odin/si.php?get&”; fast_pattern:only; http_uri; content:“news_slist”; http_uri; content:“comp=”; http_uri; reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI contains ‘/random750x750.jpg?x=’”; sid:1; rev:1; flow:to_server,established; content:“/random750x750.jpg?x=”; fast_pattern:only; http_uri; content:“&y=”; http_uri; content:“Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /|0d 0a|”; http_header; content:“Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!“Accept-”; http_header; content:!“Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI contains ‘/datacollectionservice.php3’”; sid:1; rev:1; flow:to_server,established; content:“/datacollectionservice.php3”; fast_pattern:only; http_uri; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP header contains ‘Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /|0d 0a|’”; sid:1; rev:1; flow:to_server,established; urilen:30<>35,norm; content:“btst=”; http_header; content:“snkz=”; http_header; content:“Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, /|0d 0a|”; fast_pattern:only; http_header; content:“Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!“Connection”; http_header; content:!“Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
Qakbot
|
alert tcp any any -> any 21 (msg:“Possible ps_dump FTP exfil”; sid:1; rev:1; flow:to_server,established; content:“ps_dump”; fast_pattern:only; pcre:“/ps_dump_[^]+[a-z]{5}\d{4}\x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
Qakbot
|
alert tcp any any -> any 21 (msg:“Possible seclog FTP exfil”; sid:1; rev:1; flow:to_server,established; content:“seclog”; fast_pattern:only; pcre:“/seclog_[a-z]{5}\d{4}_\d{10}\x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI contains ‘/cgi-bin/jl/jloader.pl’”; sid:1; rev:1; flow:to_server,established; content:“/cgi-bin/jl/jloader.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI contains ‘/cgi-bin/clientinfo3.pl’”; sid:1; rev:1; flow:to_server,established; content:“/cgi-bin/clientinfo3.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI contains ‘/u/updates.cb’”; sid:1; rev:1; flow:to_server,established; content:“/u/updates.cb”; fast_pattern:only; http_uri; pcre:“/^Host\x3A[^\r\n]+((up\d+)|(adserv))/Hmi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP response content contains ‘|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|’”; sid:1; rev:1; flow:to_client,established; file_data; content:“|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|”; fast_pattern:only; content:“|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 43 72 65 61 74 65 46 69 6C 65 28 29 20 66 61 69 6C 65 64|”; content:“|52 75 6E 45 78 65 46 72 6F 6D 52 65 73 28 29 20 73 74 61 72 74 65 64|”; content:“|73 7A 46 69 6C 65 50 61 74 68 3D|”; content:“|5C 25 75 2E 65 78 65|”; reference:url,www.virustotal.com/en/file/23e72e8b5e7856e811a326d1841bd2ac27ac02fa909d0a951b0b8c9d1d6aa61c/analysis; metadata:service ftp-data,service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP POST URI contains ‘v=3&c=’”; sid:1; rev:1; flow:to_server,established; content:“/t”; http_uri; content:“POST”; http_method; content:“v=3&c=”; depth:6; http_client_body; content:“==”; within:2; distance:66; http_client_body; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service http;)
Qakbot
|
alert tcp any any -> any any (msg:“HTTP URI GET contains ‘/<alpha>/595265.jpg’”; sid:1; rev:1; flow:established,to_server; content:“/595265.jpg”; http_uri; fast_pattern:only; content:“GET”; nocase; http_method; pcre:“/^/[a-z]{5,15}/595265\.jpg$/U”; reference:url,www.virustotal.com/gui/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/detection; metadata:service http;)
Remcos
|
alert tcp any any -> any any (msg:“Non-Std TCP Client Traffic contains ‘|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|’ (Checkin #23)”; sid:1; rev:1; flow:established,to_server; dsize:<700; content:“|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|”; depth:11; fast_pattern; content:“|da b1|”; distance:2; within:2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/; reference:url,isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/; reference:url,www.malware-traffic-analysis.net/2019/09/03/index.html; reference:url,www.malware-traffic-analysis.net/2017/10/27/index.html;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘host|3a 20|tpsci.com’”; sid:1; rev:1; flow:established,to_server; content:“host|3a 20|tpsci.com”; http_header; fast_pattern:only; metadata:service http;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘User-Agent|3a 20|*Loader’”; sid:1; rev:1; flow:established,to_server; content:“User-Agent|3a 20|”; http_header; content:“Loader|0d 0a|”; nocase; http_header; distance:0; within:24; fast_pattern; metadata:service http;)
TrickBot
|
alert udp any any <> any 53 (msg:“DNS Query/Response onixcellent com (UDP)”; sid:1; rev:1; content:“|0B|onixcellent|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; priority:1; metadata:service dns;)
TrickBot
|
alert tcp any any -> any any (msg:“SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd’”; sid:1; rev:2; flow:established,from_server; ssl_state:server_hello; content:“|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:“|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:“|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!“|31 0c 30 0a 06 03 55 04 03|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
TrickBot
|
alert tcp any any -> any any (msg:“SSL/TLS Server X.509 Cert Field contains ‘C=AU, ST=Some-State, O=Internet Widgits Pty Ltd’”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:“|31 0b 30 09 06 03 55 04 06 13 02|AU”; content:“|31 13 30 11 06 03 55 04 08 13 0a|Some-State”; distance:0; content:“|31 21 30 1f 06 03 55 04 0a 13 18|Internet Widgits Pty Ltd”; distance:0; fast_pattern; content:“|06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘boundary=Arasfjasu7’”; sid:1; rev:1; flow:established,to_server; content:“boundary=Arasfjasu7|0d 0a|”; http_header; content:“name=|22|proclist|22|”; http_header; content:!“Referer”; content:!“Accept”; content:“POST”; http_method; metadata:service http;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.’”; sid:1; rev:1; flow:established,to_server; content:“User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:“.png|20|HTTP/1.”; pcre:“/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{2,5})?$/mH”; content:!“Accept”; http_header; content:!“Referer|3a 20|”; http_header; metadata:service http;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Server Header contains ‘Server|3a 20|Cowboy’”; sid:1; rev:1; flow:established,from_server; content:“200”; http_stat_code; content:“Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:“content-length|3a 20|3|0d 0a|”; http_header; file_data; content:“/1/”; depth:3; isdataat:!1,relative; metadata:service http;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:“Content-Type|3a 20|multipart/form-data|3b 20|boundary=------Boundary”; http_header; fast_pattern; content:“User-Agent|3a 20|”; http_header; distance:0; content:“Content-Length|3a 20|”; http_header; distance:0; content:“POST”; http_method; pcre:“/^/[a-z]{3}\d{3}/.+?\.[A-F0-9]{32}/\d{1,3}//U”; pcre:“/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}$/mH”; content:!“Referer|3a|”; http_header; metadata:service http;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP URI GET/POST contains ‘/56evcxv’”; sid:1; rev:1; flow:established,to_server; content:“/56evcxv”; http_uri; fast_pattern:only; metadata:service http;)
TrickBot
|
alert icmp any any -> any any (msg:“ICMP traffic conatins ‘hanc’”; sid:1; rev:1; itype:8; icode:0; dsize:22; content:“hanc”; depth:4; fast_pattern; pcre:“/hanc[0-9a-f]{16}…/i”; reference:url,labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data=’”; sid:1; rev:1; flow:established,to_server; content:“POST”; nocase; http_method; content:“host|3a 20|”; http_header; content:“.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:“data=”; distance:0; within:5; metadata:service http;)
TrickBot
|
alert tcp any 80 -> any any (msg:“Non-Std TCP Client Traffic contains PowerView Script Download String”; sid:1; rev:1; flow:established,from_server; content:“PowerView.ps1”; content:“PSReflect/master/PSReflect.psm1”; fast_pattern:only; content:“function New-InMemoryModule”; metadata:service else-ports;)
TrickBot
|
alert tcp any any -> any 445 (msg:“Non-Std TCP Client SMB Traffic contains ‘44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl’”; sid:1; rev:1; flow:established,to_server; content:“44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl”; fast_pattern:only; metadata:service netbios-ssn,service and-ports;)
TrickBot
|
alert tcp any any -> any [80,443,8082] (msg:“Non-Std TCP Client Traffic contains ‘–aksgja8s8d8a8s97’”; sid:1; rev:1; flow:established,to_server; content:“–aksgja8s8d8a8s97”; fast_pattern:only; content:“name=|22|proclist|22|”; metadata:service else-ports;)
TrickBot
|
alert tcp any any -> any any (msg:“HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.0’”; sid:1; rev:1; flow:established,to_server; content:“User-Agent|3a 20|WinHTTP loader/1.0|0d 0a|”; http_header; fast_pattern:only; pcre:“//t(?:oler|able)\.png/U”; metadata:service http;)
TrickBot
|
alert tcp any any -> any [443,8082] (msg:“Non-Std TCP Client Traffic contains ‘_W<digits>.’”; sid:1; rev:1; flow:established,to_server; content:“_W”; fast_pattern:only; pcre:“/_W\d{6,8}\./”; metadata:service else-ports;)
TrickBot
|
alert tcp any [443,447] -> any any (msg:“SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:“|0b|example.com”; fast_pattern:only; content:“Global Security”; content:“IT Department”; pcre:“/(?:\x09\x00\xc0\xb9\x3b\x93\x72\xa3\xf6\xd2|\x00\xe2\x08\xff\xfb\x7b\x53\x76\x3d)/”; metadata:service ssl,service and-ports;)
TrickBot
|
alert tcp any any -> any any+F57 (msg:“HTTP URI GET contains ‘/anchor’”; sid:1; rev:1; flow:established,to_server; content:“/anchor”; http_uri; fast_pattern:only; content:“GET”; nocase; http_method; pcre:“/^/anchor_?.{3}/[\w_-]+\.[A-F0-9]+/?$/U”; metadata:service http;)
TrickBot
|
alert udp any any <> any 53 (msg:“DNS Query/Response kostunivo com (UDP)”; sid:1; rev:1; content:“|09|kostunivo|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
TrickBot
|
alert udp any any <> any 53 (msg:“DNS Query/Response chishir com (UDP)”; sid:1; rev:1; content:“|07|chishir|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
TrickBot
|
alert udp any any <> any 53 (msg:“DNS Query/Response mangoclone com (UDP)”; sid:1; rev:1; content:“|0A|mangoclone|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
GootLoader
|
No signature available.
[4] Agent Tesla Trojan ‘Kneecaps’ Microsoft’s Anti-Malware Interface
[6] AZORULT Malware Information
[8] Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea
[9] FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
[10] Ursnif Trojan has targeted over 100 Italian banks
[11] New Variant of Ursnif Continuously Targeting Italy
[13] LokiBot trojan malware campaign comes disguised as a popular game launcher
[14] CISA and MS-ISAC LokiBot Malware
[15] So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
[16] Nanocore, Netwire, and AsyncRAT spreading campaign uses public cloud infrastructure
[19] A closer look at Qakbot’s latest building blocks (and how to knock them down)
[21] Remcos Malware Information
[22] The Latest Remcos RAT Driven By Phishing Campaign
[23] HHS The Evolution of Ryuk
[24] CISA Fact Sheet: TrickBot Malware
[25] Joint CSA Conti Ransomware
[26] Joint CSA Ransomware Activity Targeting the Healthcare and Public Health Sector
[27] New Jersey’s Cybersecurity & Communications Integration Cell (NJCCIC) page on GootLooader
August 4, 2022: Initial Version
attack.mitre.org/versions/v11/software/S0266/
attack.mitre.org/versions/v11/software/S0331/
attack.mitre.org/versions/v11/software/S0332/
attack.mitre.org/versions/v11/software/S0336/
attack.mitre.org/versions/v11/software/S0344/
attack.mitre.org/versions/v11/software/S0386/
attack.mitre.org/versions/v11/software/S0447/
attack.mitre.org/versions/v11/software/S0650/
blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html
blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader
blogs.juniper.net/en-us/threat-labs-knowledge-base/agenttesla
blogs.juniper.net/en-us/threat-labs-knowledge-base/agenttesla
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444
cve.mitre.org/cve/
cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot
cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null#:~:text=The%20AZORULT%20malware%20was%20first,a%20downloader%20of%20other%20malware.
success.trendmicro.com/dcx/s/solution/000146108-azorult-malware-information?language=en_US&sfdcIFrameOrigin=null#:~:text=The%20AZORULT%20malware%20was%20first,a%20downloader%20of%20other%20malware.
success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null
success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null
threatpost.com/agent-tesla-microsoft-asmi/163581/
threatpost.com/agent-tesla-microsoft-asmi/163581/
twitter.com/CISAgov
twitter.com/intent/tweet?text=2021%20Top%20Malware%20Strains+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a
www.cisa.gov/
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/healthcare-and-public-health-sector
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf
www.cisa.gov/sites/default/files/publications/202104081030%20Ryuk%20Variant%20TLP%20White.pdf
www.cisa.gov/sites/default/files/publications/Malware_1.pdf
www.cisa.gov/stopransomware/
www.cisa.gov/uscert/ncas/alerts/aa20-266a
www.cisa.gov/uscert/ncas/alerts/aa20-266a
www.cisa.gov/uscert/ncas/alerts/aa20-302a
www.cisa.gov/uscert/ncas/alerts/aa21-076a
www.cisa.gov/uscert/ncas/alerts/aa21-265a
www.cisa.gov/uscert/sites/default/files/documents/NCCIC_ICS-CERT_AAL_Malware_Trends_Paper_S508C.pdf
www.cisa.gov/uscert/sites/default/files/documents/NCCIC_ICS-CERT_AAL_Malware_Trends_Paper_S508C.pdf
www.cisa.gov/uscert/sites/default/files/publications/TrickBot_Fact_Sheet_508.pdf
www.cyber.gov.au/
www.cyber.gov.au/acsc/view-all-content/essential-eight
www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication
www.cyber.gov.au/ransomware/
www.cyber.gov.au/ransomware/protect-yourself-against-ransomware-attacks
www.cyber.gov.au/ransomware/what-to-do
www.cyber.nj.gov/alerts-advisories/gootloader-malware-platform-uses-sophisticated-techniques-to-deliver-malware
www.cyber.nj.gov/alerts-advisories/gootloader-malware-platform-uses-sophisticated-techniques-to-deliver-malware
www.cyber.nj.gov/alerts-advisories/gootloader-malware-platform-uses-sophisticated-techniques-to-deliver-malware
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a&title=2021%20Top%20Malware%20Strains
www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy#:~:text=Ursnif%20(also%20known%20as%20Gozi,Italy%20over%20the%20past%20year.
www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy#:~:text=Ursnif%20(also%20known%20as%20Gozi,Italy%20over%20the%20past%20year.
www.hhs.gov/sites/default/files/azorult-malware.pdf
www.hhs.gov/sites/default/files/azorult-malware.pdf
www.hhs.gov/sites/default/files/azorult-malware.pdf
www.hhs.gov/sites/default/files/formbook-malware-phishing-campaigns.pdf
www.hhs.gov/sites/default/files/remote-access-trojan-nanocore-poses-risk-hph-sector.pdf
www.ic3.gov/
www.instagram.com/cisagov
www.justice.gov/opa/pr/arkansas-man-sentenced-prison-developing-and-distributing-prolific-malware
www.justice.gov/opa/pr/arkansas-man-sentenced-prison-developing-and-distributing-prolific-malware
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a
www.mandiant.com/resources/formbook-malware-distribution-campaigns
www.mandiant.com/resources/formbook-malware-distribution-campaigns
www.mandiant.com/resources/melting-unc2198-icedid-to-ransomware-operations
www.mandiant.com/resources/melting-unc2198-icedid-to-ransomware-operations
www.mandiant.com/resources/melting-unc2198-icedid-to-ransomware-operations
www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
www.netskope.com/blog/lokibot-nanocore-iso-disk-image-files
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a
www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ursnif
www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ursnif
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
www.zdnet.com/article/new-lokibot-trojan-malware-campaign-comes-disguised-as-a-popular-game-launcher/
www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/
www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/
mailto:?subject=2021%20Top%20Malware%20Strains&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-216a
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
9.9 High
AI Score
Confidence
High
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P