Emotet Tops Any.Run's 2019 List of Malware Threats
Any.Run is a generally available interactive service, which allows analyzing malware by running it in a sandbox. The service recently compiled a hit list of the top 10 malware threats uploaded to the platform most often. The list includes malware intended for stealing sensitive information, including banking details, as well as remote access tools (RAT) which enable the attacker take control over the compromised host. The notorious Emotet tops the list.
When first detected in 2014, Emotet was a sophisticated a banking trojan, but later its operators found a way to make it stay relevant in the big business, which cybercrime has turned into.
These days, this threat is mostly used for delivering other malicious software by means of carefully composed malicious emails. For example, the banking trojan with a shifted focus named TrickBot (#9 of this list) is commonly spread this way.
#2 Agent Tesla
Agent Tesla is a commercial info-stealing program, which became popular with scammers who carry out business email compromise (BEC). They use this malware for logging keystrokes and taking screenshots on the infected host.
Agent Tesla is capable of collecting information about the system, as well as of intercepting data from the clipboard. It also includes routines for disabling antivirus solutions and killing running analysis processes.
NanoCore is a RAT (remote access tool) known since 2013. The developer of NanoCore was arrested in 2017, but cracked versions of the malware are still in use.
This tool is also favored by BEC scammers – like SilverTerrier, an umbrella name for multiple cyber-gangs specializing in BEC fraud, who in 2018 created 125 unique samples per month on the average.
Along with providing remote access to the victim host, NanoCore is capable of file execution, spying, keylogging, editing the registry, capturing audio and video, and controlling the mouse.
LokiBot first appeared on underground forums as a keylogger and information stealer, but further obtained additional capabilities allowing it to evade detection and collect sensitive info.
This year’s LokiBot sample possesses the following capabilities: anti-analysis, stealing data from a wide variety of web browsers (at least 25), looking for credentials in email and file transfer clients, and checking for email and web servers running on the targeted machine.
Ursnif is a banking trojan; it isn’t actually new but with the course of time it obtained new features.
Ursnif is typically used for data theft, but some of its variants come enriched with such components as backdoors or file injection. It also can deploy other malware, like GandCrab ransomware.
FormBook is one more info-stealer, which also can evade detection by antivirus. This malware is sold on hacking forums since February 2016, or maybe even longer.
This malware was initially designed to intercept the data from web forms, even if a password manager, a virtual keyboard or the autofill function was used.
Among its functions - collecting data from web browsers (such as cookies and passwords), stealing clipboard contents, taking screenshots, keylogging, stealing passwords from email clients, as well as downloading and running executables from the command and control server.
HawkEye is also a keylogger, has been around since at least 2013. It is sold by the developer at dark web markets and hacking forums. HawkEye is advertised as an advanced monitoring solution; updates for this software are regularly released.
Along with keystroke interception, it also provides some new functions that enable the attacker to steal credentials from various applications and intercept clipboard contents.
The original version of AZORult is Delphi-based, but this year’s version is written in C++.This info-stealer have been discovered in the wild since 2016; now it’s sold on underground forums for $100.
AZORult is used primarily for harvesting and exfiltrating a wide variety of data from compromised systems - from email and FTP clients and passwords saved in web browsers to files, cookies, cryptocurrency wallets, web forms, and chat history saved in messaging apps.
Initially developed as a banking trojan, TrickBot now has many more features, which makes is than that. Often delivered through Emotet, TrickBot itself can deliver other malware on the system, e.g. Ryuk ransomware, most likely after stealing valuable information.
TrickBot can steal passwords from web browsers, email and FTP clients, enumerate the users on the system, and collect local files from the victim’s machine.
This RAT is also used by the notorious SilverTerrier group. njRAT has been around ever since 2012, when it was used mostly in the Middle East region.
Along with logging keystrokes, this malware is capable of turning on the microphone and web camera on the compromised system. Some of the samples can also exfiltrate the title of the currently used window on the victim’s machine.
It’s easy to notice that most of the malware in Any.Run's top 10 are not new, some of the samples being almost a decade old. Nevertheless, they are still actively used by cybercriminals, which means that companies should not underestimate the danger of known threats.