Attack Graph Response to US-CERT Alert (AA22-216A): Testing Security Controls against 2021’s Top Malware Strains

AttackIQ’s Adversary Research Team has released two new assessments to test endpoint and network controls’ ability to prevent widely utilized malware families. Read More

On 2022 August 4, the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) jointly released a Cybersecurity Advisory (CSA) detailing the top malware strains observed throughout 2021. The advisory highlighted 11 malware families that have been prolifically leveraged by multiple cybercrime groups focused on theft of personal and financial information. Many of these malware families have been used in attacks for years and in the case of Qakbot and Ursnif for over a decade.

AttackIQ has released two new assessments to help customers validate their security controls and their ability to defend against these malware families.

The first is a new assessment for our Network Control Validation (NCV) module that emulates the network traffic of the malware families identified in the US-CERT alert. The scenarios in this assessment replay traffic using the  packet capture (PCAP) of malware activity between an infected host and a command-and-control server. The platform then evaluates the in-line network security controls to determine if the traffic was detected or prevented.

The second assessment is for testing the delivery of known malware samples. Each malware file is downloaded from an AttackIQ controlled server to the host’s memory to first test network controls that inspect incoming file downloads. Finally, the endpoint controls are tested by saving the file from memory to disk to validate if EDR or Antivirus solutions are able to prevent the file from being written.

Agent Tesla is a remote access trojan active since 2014 that focuses on credential theft from mail clients and web browsers. NCV scenarios cover the command-and-control traffic from samples used in attacks in 2021 and 2022 that leverage multiple application protocols including FTP, SMTP, and HTTP.

  • PCAP Replay – 2022-07 Agent Tesla Command and Control over HTTP
  • PCAP Replay – 2022-03 Agent Tesla Payload and Command and Control over SMTP
  • PCAP Replay – 2021-05 Agent Tesla Command and Control over FTP

AZORult is another trojan sold in underground forums and is used to steal browser data, user credentials, and files related to cryptocurrency. The malware has been active since 2016 and is continuing to receive updates. The scenarios released in the NCV assessment emulate not just the command-and-control traffic but the use of Pastebin to host multiple payload stages along with two full compromise chains from real work infections.

  • PCAP Replay – 2022-05 AZORult HTTP Command and Control Traffic
  • PCAP Replay – 2020-03 AZORult Multiple Stage Downloads from Pastebin
  • PCAP Replay – 2020-03 AZORult HTTP Command and Control Traffic
  • PCAP Replay – MALSPAM with password protected malicious word document pushes AZORult / Neutrino
  • PCAP Replay – RIG Exploit Kit Post-Infection (AZORult)

FormBook was first advertised in hacking forums in 2016 and is an information stealer with key logging capabilities and the ability to capture browser and email client passwords. Samples from 2017, 2018, and 2022 were used to generate command-and-control traffic for the NCV assessment.

  • PCAP Replay – 2022-08 FormBook HTTP Command and Control Traffic
  • PCAP Replay – 2018-02 FormBook HTTP Command and Control Traffic
  • PCAP Replay – 2017-10 FormBook HTTP Command and Control Traffic

Ursnif has been around since 2007 and is banking trojan focused on the theft of financial information. Commonly delivered through phishing emails, the malware family continues to evolve and persist with functionality being added to avoid detection. The NCV assessment utilizes samples from 2020 and 2022 to replay different variations of command-and-control traffic along with the full chain of infection events from a spearphishing message delivering a malicious Excel document.

  • PCAP Replay – 2022-04 Ursnif HTTP Command and Control Traffic
  • PCAP Replay – 2020-01 Ursnif HTTP Command and Control Traffic
  • PCAP Replay – Malicious XLS document that pushes Ursnif Trojan

LokiBot is another credential stealing trojan targeting user credentials, cryptocurrency wallets, and other login accounts. The malware has been active since 2015 and is commonly delivered via phishing attachments. The command-and-control traffic has evolved over time and samples from 2018, 2020, and 2022 were used to generate NCV scenarios.

  • PCAP Replay – 2022-06 LokiBot HTTP Command and Control Traffic
  • PCAP Replay – 2020-02 LokiBot HTTP Command and Control Traffic
  • PCAP Replay – 2018-10 LokiBot HTTP Command and Control Traffic

MOUSEISLAND is a Microsoft Office macro used to download other payloads. It has been potentially observed as the initial attack vector for Ransomware attacks and has been active since 2019. The NCV scenario covers the attempt to download a second stage from a MOUSEISLAND macro from 2021.

  • PCAP Replay – 2021-02 MOUSEISLAND Office Macro Downloader HTTP Request

NanoCore is a fully functional remote access trojan that has been operating since 2013. The malware supports additional plugins to increase functionality like webcam spying or email theft. The network assessment tests both an older HTTP-based variant used in 2015 and a newer sample from 2022 that uses a custom TCP protocol for command-and-control.

  • PCAP Replay – 2022-03 NanoCore RAT Custom TCP Command and Control Traffic
  • PCAP Replay – 2015-04 NanoCore Rat HTTP Command and Control Traffic

Qakbot is operated by Eurasian cyber criminals and is primarily used to form botnets. Their infected hosts are initial entry vectors for ransomware attacks. First identified in 2007 the modular malware is also known as QBot or Pinkslipbot. The NCV scenarios cover a wide variety of malware’s capabilities including the downloading of additional payloads, conducting network connectivity checks, and exfiltrating data over FTP.

  • PCAP Replay – 2021-01 Qakbot Payload Download and HTTP Profiling POST Request
  • PCAP Replay – 2020-05 Qakbot JavaScript Downloader Web Request
  • PCAP Replay – 2019-01 Qakbot HTTP Stage Downloader
  • PCAP Replay – 2017-05 Qakbot Speed Test Network Connectivity Check
  • PCAP Replay – 2017 Qakbot HTTP Command and Control Requests
  • PCAP Replay – 2016-05 Qakbot HTTP Command and Control Request
  • PCAP Replay – 2011-01 Qakbot HTTP Command and Control Request
  • PCAP Replay – 2011-01 Qakbot FTP File Exfiltration

Remcos is advertised as a legitimate remote management and pen testing tool but is commonly used by cyber criminals as a backdoor. The software has been for sale since 2016 and actors typically deliver payloads over email. The malware typically uses non-standard ports.

  • PCAP Replay – 2019-07 Remcos Initial C2 Beacon over Non-Standard Port

Trickbot is famously known for enabling initial access for Conti ransomware or the Ryuk banking trojan. The malware is evolved significantly over time and continues to be active even after Conti shutdown. NCV scenarios are available that replay traffic using the actor’s self-signed SSL certificates and their HTTP-based command-and-control traffic.

  • PCAP Replay – TrickBot DNS and URI Lookups from US-CERT AA22-216A
  • PCAP Replay – 2020-10 Trickbot Self-Signed SSL Certificate “Global Security”
  • PCAP Replay – 2019-07 Trickbot SSL Certificate Internet Widgets Pty Ltd
  • PCAP Replay – 2018-08 Trickbot Stage Downloader (table.png)

GootLoader was historically used to deliver the GootKit malware family but has transitioned to a multi-payload malware delivery platform. This was the newest of the malware families identified by the US-CERT having only been around since 2020. The NCV scenario replays a stage 2 download request from a GootLoader infection in 2022.

  • PCAP Replay – 2022-05 GootLoader Stage 2 Download Request

Detection Opportunities:

The network traffic replayed in this assessment can be used to test the Suricata rules published by the US-CERT that were included in their advisory. Many of the signatures in the advisory are for older variants of the malware families so we’ve included additional scenarios for more recent versions. The traffic from those additional samples can be identified by using publicly available network signatures like Proofpoint’s Emerging Threats ruleset.


The malware called out by the US-CERT is widely known and tracked by security vendors and threat researchers, but the actors continue to evolve and stay successful. These two new assessments will help customers validate their security controls against these prolific malware families and the actors conducting the attacks. Even though the signatures provided by the US-CERT are old, they continue to detect newly created samples of the older malware variants. These malware families are not the exclusive work of a single actor, but many different actors with varying levels of capabilities and access to newer versions of the tools.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.