In July 2021, the MS-ISAC observed Agent Tesla and Jupyter’s return to the Top 10. The Top 10 Malware variants comprise 63% of the total malware activity in July 2021, increasing 1% from June 2021. Shlayer is likely to continue its prevalence in the Top 10 Malware for the coming quarter.

Even though Shlayer is currently at its peak, it is likely to diminish over time as this new strain has already hit its peak. XcodeGhost was particularly notable in June 2021 for possibly impacting iOS apps on some devices. While some variants are fading away, others are steadily growing their prevalence, such as Seaduke and KHRAT which recently joined last month’s Top 10 list.

Malvertising and Pharming via Ad-service providers continue to be popular methods of spreading malicious code. The consistent prevalence of this type of malware indicates that attackers are constantly evolving their tactics and techniques, as well as relying on secondary income opportunities such as ad fraud. This is likely to continue as these types of attacks leverage botnets and polymorphic strains to spread malcode; however, new technologies such as blockchain will change the nature of these attacks.

Top 10 Malware

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater. In July 2021, Shlayer was observed at more than 30% of the traffic of more than 1,000 malicious domains.

2. CoinMiner

CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

3. Gh0st

Ghost is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device. Gh0st includes password stealers, information stealers, and supports keylogging. Gh0st has been known to be distributed by the malware Dridex.

4. Mirai

Mirai is a botnet for launching Distributed Denial of Service (DDoS) attacks against targeted devices or networks. Mirai can be used to conduct DDoS attacks against companies via IoT bots to disrupt the services they provide. Mirai is used in multiple attacks per day. In July 2021, Mirai was one of the most widely reported malware samples via the MS-ISAC Member Alert Program.

5. Jupyter

Jupyter is a Trojan that executes scripts on a server’s system with high privilege. The MS-ISAC has observed a rise in Jupyter activity in its 2016–2018 Quarterly Threat Intelligence Reports and in its 2018 Annual Threat Intelligence Reports.

6. NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence. NanoCore is often packaged with an exploit kit to infect victims’ devices.

7. CryptoWall

CryptoWall is ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

8. ZeuS

ZeuS is a modular banking trojan that uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

9. Agent Tesla

Agent Tesla is a RAT that exfiltrates credentials, log keystrokes, and capture screenshots from an infected computer. Agent Tesla has been seen in 2016, but is becoming more prevalent again.

10. Ursnif

Ursnif, and it’s variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.

A total of 1,260 new malware samples were collected and analyzed in July 2021. The malware activity in July 2021 was slightly higher than the previous month, due to the increased prevalence of Shlayer and KHRAT variants.

In July 2021, the MS-ISAC observed a total number of 1,260 new malware samples. In July 2021, Malvertising and Pharming via Ad-service providers continue to be popular methods of spreading malicious code.

Interested in reading more about malware in 2021? TrickBot – A Malware with Multiple Hats in 2021 discusses a type of malware in 2021, dubbed TrickBot, that is larger than the average malware out today.

malwareIf you would like TSVMap™ to assist your business with assessing your essential systems and applying the TSVMap methodology to ERP SystemsMRP SystemsCyber SecurityIT StructureWeb ApplicationsBusiness Operations, and Automation, please contact us at 864-991-5656 or