Webroot has named its “Nastiest Malware of 2021” despite three months left in the year. It’s generally a mix of high profile and well-known malware that has been around for some time. Not all of them are active, with Webroot opining that some will “absolutely return from the underworld”.
Kelvin Murray, Senior Threat Analyst at Webroot, commented: “2021 has been a year full of change, with lockdowns lifting and life slowly getting back to some kind of normal. But what hasn’t changed is cybercriminals still looking for new ways to scam struggling businesses and customers.
“As a result, businesses need to be aware of the ever-growing number of vulnerabilities and the type of cybersecurity threats being leveraged at any given time. We recommend all organisations have multi-layered security strategies in place to maintain trust and protect reputations, and cybersecurity budgets must remain a top priority as cybercriminals continue to increase their resources.
“Data protection should be front and centre and integrated into every aspect of any robust cyber resilience strategy, as opposed to simply being viewed as a box-ticking exercise.”
What’s on Webroot’s list?
Given the mainstream media’s obsession with ransomware, you might think that the list would be nothing but ransomware. Instead, it’s a little more balanced and realistic about the breadth of attacks today. Webroot has also avoided the worst to least bad approach. It is just a list of the stuff of cybersecurity nightmares.
A relative newcomer, it is an advanced cryptominer mining XMR. It spreads using various techniques from malspam to exploits like Eternal Blue and a bit of brute force. It will infect Windows and Linux machines from desktops to servers. LemonDuck uses a range of approaches to hide from detection and even cleans up competing malware on the local machine. In 2021, Webroot says it is also being used to drop tools for follow-up attacks.
From supply chain attacks to ransomware, this is a very active cybercrime group. It relies on affiliates to conduct its attacks and pays them for their time and the number of infected machines. Earlier this year, it went offline due to coordinated attacks against its infrastructure. That infrastructure has started to reappear with its leaks site back online since early September.
Some malware refuses to go away. It has evolved from a banking trojan to a botnet and more. There have been multiple attempts to disrupt and takedown Trickbot. Every time people claim success, Trickbot shows its ability to survive and evolve. Once it infects a site, it moves laterally throughout the infrastructure to steal as much data as possible. At that point, it deploys ransomware to extort money. It also threatens to publish stolen data as a secondary extortion.
Another persistent piece of malware that also began as a banking trojan and credential thief. It is now being linked to ransomware like Bitpaymer due to similarities in the code. Over the last year, it has developed its own malspam campaigns to infect machines. It also moves laterally through a network leaving the Dridex loader on every machine to gather user credentials.
This is the ransomware group behind Ryuk, which the FBI listed as its most successful ransomware group of 2019. While it has fallen from the top of the tree, it is still a major player. It relies on credentials that are either stolen or the result of phishing attacks. Conti also spreads by using botnets such as Emotet and Trickbot. It also threatens its victims with the release of sensitive information to force them to pay.
A good example of how a tool created for security teams can be misused once it is in the wild. Cobalt Strike is a legitimate pen-testing tool designed to help identify security problems. The techniques it looks for are all gold dust to attackers, which has been co-opted to be a malware tool of choice.
The not so successful and the gone or are they categories
Webroot calls out two honourable mentions and then some dead or maybe not so dead malware.
Its attack on VMWare ESXi using exploits gets this an honourable mention. As gamers will remember, it also managed to breach CD Projekt RED and stole the source code for games including CyberPunk 2077 and Witcher 3.
Its attack on the back-office systems of Colonial Pipeline caused one of the biggest cybersecurity news stories of 2021 so far. Colonial reacted to the attack by choosing to shut down its fuel pipelines, causing weeks of fuel issues across the eastern seaboard of the US. Authorities responded by taking down as much of the DarkSide infrastructure as possible, but it soon reinvented itself (see below).
Gravestone (shutdown malware) – RIP [Rest in Pieces]
Emotet – Looks to be “dead dead.”
Ragnarok – Also likely to remain six feet under.
“Dead” but will absolutely return from the underworld
REvil – Definitely coming back rebranded.
DarkSide – Has likely already returned rebranded as Black Matter.
Maze – Returned from the dead as Egregor (not to be confused with Frankenstein’s assistant Igor).
Bitpaymer/Doppelpaymer – This Evil Corp group haunts its victims again under the name Grief.
Enterprise Times: What does this mean?
This is an interesting but far from complete list of nasties so far in 2021. Like all vendor related lists, it says more about who their clients are and what telemetry they gather from them. There are many more attacks and cybercrime groups that could have been mentioned, from Avaddon to Babuk. It also ignores the spate of attacks on crypto exchanges that are highly lucrative but only impact a limited number of individuals.
However, the bigger message here is that the vast majority of those called out by Webroot have been around for years. Attempts to shut them down often result in them disappearing for a short time but then re-emerging with a whole new infrastructure. If commercial IT were as resilient as cybercrime groups, their impact on big organisations would be far less damaging.
For now, add these to your list of things to watch out for.