Cybersecurity: CISA releases top malware strains report


Image: Black_Kira/Shutterstock

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) released a report on Aug. 4 listing the top malware strains experienced in 2021.

As always, the top malware strains were those with a higher potential for payoff, including remote access trojans (RATs), banking trojans, information stealers and ransomware.

But none of them are new: The top malware strains have been in use for more than five years, and some go back to 2007, with their respective code bases evolving into multiple variations.

Douglas Rausch, associate professor in the College of Science and Technology at Bellevue University in Nebraska, pointed out that reuse of malware makes sense. “A lot of the malware that’s being utilized is either just the exact same stuff that had been used in previous years or the various actors are using significant portions of the code of the previous malware, and then putting it into new exploits,” he said. “No surprise there. They’re just as efficient as the rest of us reusing code.”

Professor Douglas Rausch

Image courtesy Bellevue University:
Professor Douglas Rausch

“When the old tools work, there’s no reason to do new stuff,” Rausch said.

He agreed that ransomware is an ongoing threat that companies large and small should be concerned about. “We really see the ransomware piece in terms of, ‘You need to pay to uncover your data. And also, while we were in there, we took your data, and we’re going to sell it, or we’ll post it unless you pay.’ And so we’ve kind of gone from this singular, ‘Hey, now you just don’t have access to your data’ to really a double whammy, which is ‘You’re not going to have access to it. And we’re going to go ahead and sell or share your customer data or intellectual property.’ And so they’ve kind of raised the stakes on that one.”

CISA suggests the following in order to keep your systems safe:

• Patch all systems and prioritize patching known exploited vulnerabilities.

• Enforce multi-factor authentication.

• Secure Remote Desktop Protocol and other risky services.

• Make offline backups of your data.

• Provide end-user awareness and training about social engineering and phishing.

Rausch agreed with these steps and added VPN use and software patching to the list. Another important warning is that companies need to be aware of their software bills of materials, he said, in order to keep track of their vulnerabilities, as we saw with SolarWinds and Log4j.

“Some of the ways those are hit is due to the vulnerable software that we’re bringing into the enterprise,” Rausch said. “Folks really need to start paying attention to their software bill of materials. And so, when you hear of some of these vulnerabilities … and you go, ‘Do I actually have that piece of software running in my enterprise?’ And really for enterprise folks to have the ability to understand, ‘What software do I have in the organization, and what’s running and is this particular thing going to be a problem?’”

CISA’s list of top malware strains seen in 2021:

Agent Tesla

Agent Tesla, a RAT active since 2014, can steal data from mail clients, web browsers, and File Transfer Protocol (FTP) servers. It can also capture screenshots, videos, and Windows clipboard data. It’s delivered via phishing.


AZORult, a trojan active since 2016, is used to steal information from compromised systems. It has been sold on underground hacker forums for stealing browser data, user credentials, and cryptocurrency information. It’s delivered via phishing, websites and dropper malware.


FormBook, a trojan since at least 2016, is an information stealer advertised in hacking forums. It’s capable of key logging and capturing browser or email client passwords, but its developers continue to update the malware to exploit the latest Common Vulnerabilities and Exposures (CVS). Delivered via phishing.


Ursnif is a banking trojan that steals financial information. Also known as Gozi, Ursnif has evolved over the years – since 2007 – to include a persistence mechanism, methods to avoid sandboxes and virtual machines, and search capability for disk encryption software to attempt key extraction for unencrypting files. Delivered via phishing.


LokiBot is a trojan malware for stealing sensitive information, including user credentials, cryptocurrency wallets, and other credentials. A 2020 LokiBot variant was disguised as a launcher for the Fortnite multiplayer video game. It’s been active since 2015. Delivered as an email attachment.


MOUSEISLAND (active since at least 2019) is a macro downloader usually found within the embedded macros of a Microsoft Word document and can download other payloads. MOUSEISLAND may be the initial phase of a ransomware attack. Delivered via email attachment.


NanoCore is a RAT used for stealing victims’ information, including passwords and emails. It could also allow malicious users to activate computers’ webcams to spy on victims. Malware developers continue to develop additional capabilities as plug-ins available for purchase or as a malware kit or shared amongst malicious cyber actors. It’s been around since 2013. Delivered via email, zip file and PDF.


Originally observed as a banking trojan in 2007, Qakbot has evolved in its capabilities to include performing reconnaissance, moving laterally, gathering and exfiltrating data, and delivering payloads. Also known as QBot or Pinkslipbot, Qakbot is modular in nature enabling malicious cyber actors to configure it to their needs. Qakbot can also be used to form botnets. Delivered via attachment, links or embedded image.


Remcos is a RAT marketed as a legitimate software tool for remote management and penetration testing. It’s been active since 2016. Remcos, short for Remote Control and Surveillance, was leveraged by malicious cyber actors conducting mass phishing campaigns during the COVID-19 pandemic to steal personal data and credentials. Delivered via phishing.


TrickBot malware (2016) is a trojan often used to form botnets or enable initial access for the Conti ransomware or Ryuk banking trojan. TrickBot is developed and operated by a sophisticated group of malicious cyber actors and has evolved into a highly modular, multi-stage malware. In 2020, cyber criminals used TrickBot to target the Healthcare and Public Health (HPH) Sector and then launch ransomware attacks, exfiltrate data, or disrupt healthcare services. Delivered via email link.


GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. By leveraging search engine poisoning, GootLoader’s developers may compromise or create websites that rank highly in search engine results, such as Google search results. It’s been around since 2020. Delivered via websites.