The idea of any malware aimed at companies would go beyond the scope. Here, Varonis Threat Labs presents 9 important malware variants that have been particularly targeted at information in companies in recent years - mostly remote access trojans (RAT), information stealers or banking trojans.
In addition to a clear trend towards highly individualized ransomware, the Varonis Threat Labs have also noticed an increasing spread of so-called "commodity malware" in the last year. This term refers to malware that is available for purchase or free download on a large scale, is not customized for individual victims, and is used by a variety of different attackers. According to the observations of the security researchers, among the enormous number of malware variants available, the following nine in particular play a prominent role.
njRAT – Remote Access Trojan (RAT)
First observed in late 2012/early 2013, njRAT is a widespread remote access Trojan (RAT) originally developed by cybercrime gang Sparclyheason. The source code of this RAT was already published in May 2013. As a result, it is mainly used by less-savvy cyber criminals. Numerous guides and tutorials on how to use it have been posted on underground forums and YouTube. njRAT is still very widespread and is mostly distributed via spam campaigns. It is also found in 'trojanized' versions of legitimate applications downloaded from suspicious sources and file-sharing websites.
Similar to other popular RAT programs, njRAT offers remote control and monitoring capabilities, as well as the ability to transfer and run files, manipulate the registry, and access a remote shell. In addition, the RAT can record audio and video remotely via connected microphones and webcams, as well as use keylogging and password-stealing functions.
Formbook (XLoader)
Formbook was first observed in early 2016 and renamed XLoader in 2020. Formbook is available as malware-as-a-service on underground forums and is commonly used by less-skilled attackers to steal credentials or other data from victims.
The spread of Formbook continued to increase in 2021, arguably due to its availability, low cost and ease of use. Originally, Formbook was only aimed at Windows. However, since the introduction of XLoader, Apple macOS has also been supported. Formbook, in addition to its credential-stealing abilities, also includes some RAT-like features, such as the ability to transfer and execute payloads, and force a reboot or system shutdown. In this respect, Formbook is also suitable as an entry point to spread malicious payloads and also to achieve other goals beyond data theft.
NanoCore - Remote Access Trojan (RAT)
NanoCore was first discovered in 2013 and could be purchased for around $25. “Cracked” versions are now also widespread in the cybercrime underground. The malware offers typical RAT functions that can be complemented by a modular architecture. Plugins can be used to significantly expand the functionality. Thanks to the availability of cracked and leaked versions, NanoCore is still widely used today. The distribution usually takes place via phishing mails and infected pirated copies.
Lokibot - Information Stealer
Lokibot (also known as Loki and LokiPWS) is an information stealer that first appeared in mid-2015 and was initially sold on cybercrime forums for up to $400 before its source code was leaked. It supports additional modules like a keylogger and cryptocurrency wallet stealing features. Most recently, it has often been observed in connection with COVID-19 phishing campaigns.
Remcos - Remote Access Trojan (RAT)
Remcos is marketed as a "legitimate" commercial remote access tool and is regularly updated by its developers. Remcos is one of the most widespread Remote Access Trojans and, like similar tools, is primarily aimed at inexperienced attackers who can find out more about the malware from numerous YouTube tutorials. However, many professional attackers also use Remcos to avoid having to develop their own tools and to be able to concentrate on the other phases of their attack.
In addition to the standard RAT features, Remcos offers a "Remote Scripting" feature that allows code to run simultaneously on multiple hosts. In addition, Remcos users can purchase additional services from the developers, e.g. B. a mass mailer for sending phishing emails and a dynamic DNS service. This provides a single hostname that facilitates access to the command-and-control (C2) host and allows attackers to update their IP address without having to update the Remcos binary.
AZORult - Information Stealer
First discovered in early 2016, AZORult is an information stealer that is often distributed via malspam campaigns that address topical issues or disguise themselves as legitimate business communications. It mostly distributes Microsoft Office documents with malicious macros. When victims enable macros, the attackers' command-and-control infrastructure downloads the malicious payload. It then launches AZORult to steal sensitive data including login credentials, payment card details, browsing data and cryptocurrency wallets before sending them to the C2 and disabling itself.
AZORult often occurs in conjunction with other attacks, most of which have other objectives. In addition to disguising as business communications, proliferation often occurs via infected "cracks" or other questionable content, often associated with copyright infringement.
Netwire - Remote Access Trojan (RAT)
Netwire was first identified in 2012 and is very widespread. Remote Access Trojan (RAT), is often distributed via phishing campaigns that pose as order confirmations or tracking notifications. In addition to the standard RAT functions, Netwire has had a function for reading payment cards since 2016. This specifically targets payment devices in stores.
Netwire uses special encryption for its command-and-control traffic to evade detection and complicate investigations. The stolen data is encrypted before transmission.
Danabot - Banking Trojan
Danabot is a modular banking Trojan that was originally used by a single group and is now sold to other cybercriminals as Malware-as-a-Service (MaaS). Initially, Danabot focused on stealing credentials, cryptocurrency accounts, and bank credentials through web-injects. However, the modular architecture allows the malware to be easily customized and used in a variety of ways. For example, RAT and ransomware encryption functions are available.
In October 2021, an NPM package for the popular UAParser.js JavaScript library was compromised and modified to download and run Danabot along with a crypto miner. The legitimate package is downloaded between XNUMX and XNUMX million times a week, demonstrating the huge impact of a supply chain attack.
Emotet – Malware, Spy, Downloader, Ransomware
Emotet is probably one of the most well-known malicious programs. Emotet was originally developed as a banking Trojan. Although Emotet retained some core information-stealing capabilities, the malware evolved over the years into a downloader for other malicious payloads. The actors behind Emotet also offered their botnet as a service, becoming a leading distributor of other popular threats such as Ryuk ransomware.
In the meantime, Emotet has also quieted down a bit due to an international takedown by various law enforcement agencies. However, the activities are increasing again, sometimes under new names and in different constellations.
More at Varonis.com
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,