5 Examples of Malware that Created Scary Headlines in 2021

5 Examples of Malware that Created Scary Headlines in 2021

1 Star2 Stars3 Stars4 Stars5 Stars (11 votes, average: 5.00 out of 5)

Malware was big news in 2021, as spending more time at home and working remotely due to the pandemic made us more susceptible to malicious software than ever. So, if you’re looking for examples of the spyware, ransomware, botnets, and trojans that shook 2021, you’re in the right place.

As the world continued to struggle through the COVID-19 pandemic in 2021, cybercriminals showed an indifferent attitude towards people’s suffering and executed some of the ugliest cyberattacks ever seen, —a lot of them. Here, we’ve shortlisted five significant examples of malware that disrupted 2021. You’ll find information on their invasion techniques and the damages they caused.

So, let’s get right to it and explore the top five malicious software examples of 2021.

Malware Example 1: Pegasus Spyware

Pegasus, the infamous spyware of Israel-based NSO Group, has been used to provide espionage-as-a-service to its clients. It is mostly used to spy on people working in the spheres of human rights, activism, journalism, politics, and the law. However, in January 2022, it was reported that Israel’s police used the Pegasus spyware against its own citizens as well.

Pegasus uses sophisticated zero-click exploits such as FORCEDENTRY and KISMET to secretly gain access to targeted victims’ devices. Unlike many other types of malware, Pegasus victims don’t need to open the infected message or click on anything to become infected; just receiving the message is enough.

So, what makes Pegasus spyware so bad? This is one of those examples of malware that allows its clients to:

  • Access victims’ devices remotely,
  • Monitor the targets’ actions and behaviors, and
  • Intercept and access their data.

Forbidden Stories reported that more than 50,000 phone numbers were selected for espionage by NSO clients in more than 50 countries since 2016.

Pegasus spyware created controversies in many countries, including Bahrain, France, Saudi Arabia, the United Arab Emirates (UAE), Hungary, Morocco, and Mexico. For example, the Indian government faced accusations of using Pegasus spyware to eavesdrop on political opponents. In November 2021, the U.S. government blacklisted the NSO Group in the interest of national security.

As you can see, Pegasus continues to make headlines every few hours as we near the end of January 2022:

Examples of malware: A screenshot of headlines relating to the Pegasus malware
A screenshot of some of the headlines relating to Pegasus from Google News (captured Jan. 20, 2022).

Malware Example 2: Gafgyt/Bashlite Botnet and Offshoots

In May 2021, Uptycs’s security team published a report stating they had discovered a Botnet named ‘Simps’ being used to execute distributed denial of service (DDoS) attacks using Mirai and Gafgyt modules. Gafgyt, also known as Bashlite botnet, has many variants such as Qbot, Hoaxcalls, Lizkebab, and Torlus.

Bashlite was first discovered in 2014. It targets IoT devices such as DVRs, cameras, and home routers. Bashlite made headlines in 2016 when it corrupted more than one million IoT devices to execute DDoS attacks. In April 2020, Hoaxcalls targeted the security leader Symantec, attempting to exploit Symantec’s legacy Secure Web Gateway, which stopped receiving support updates in 2019. Thankfully, Symantec fixed the vulnerabilities in time and foiled the attempt.

These botnets are still active and pose threats to companies lacking the resources and security know-how of Symantec. To understand how a botnet works, check out this article: Botnet Attacks: What Is a Botnet & How Does It Work?

Malware Example 3: Anubis Trojan

Next on our list of examples of malware is one named after an ancient Egyptian deity… only this type is a bit different from the others we’ve talked about thus far because it’s a trojan. A trojan is a malicious software program that masquerades as a legitimate application. The creator gives the software a misleading name or infects a legitimate program with malware to trick innocent users into downloading and installing it.

In December 2021, Lookout reported that the Anubis trojan, first identified in 2017, has resurfaced. Their report shows that Anubis was being used to target customers of more than 400 financial institutions, including Chase Bank, Wells Fargo, Bank of America, and Capital One. The malware disguises itself as the Orange Telecom app to fool victims into downloading it. Once downloaded, Anubis pushes a popup window instructing the user to disable Google Play Protect to avoid detection.

The main goal of Anubis is to steal banking, virtual payment, and cryptowallet credential data from targeted devices. The trojan is highly dangerous because it has multiple capacities, such as:

  • Intercepting SMS messages
  • Monitoring the devices’ screens
  • Keylogging
  • Exfiltrating files
  • Collecting GPS
  • Abusing the devices’ accessibility services

The fake app was available on the Google Play store from July 2021 and was later removed, but the researchers warned that it would likely reappear soon. There’s no data on what happened to the credentials already stolen by this trojan.

Malware Example 4: PYSA Ransomware

PYSA, also known as Mespinoza, is ransomware that encrypts the targets’ data while delivering additional damage by extracting the users’ critical files and data. The operators behind PYSA then demand extortion money to decrypt the data or threaten to release it publicly if the victim doesn’t pay the ransom.

This type of ransomware targets:

  • Educational institutions
  • Financial institutions
  • Government entities
  • Healthcare organizations

These are the typical steps involved in PYSA attacks:

  1. Steal victims’ credentials through various means. This is done by compromising Remote Desktop Protocol (RDP) or via phishing scams.
  2. Install unauthorized tools onto targets’ devices without their knowledge. This includes programs such as PowerShell Empire2, Koadic3, and Mimikatz4, which allow attackers to enable various processes on users’ devices.
  3. Deactivate antivirus programs on compromised devices. This leaves the devices vulnerable to attacks, surveillance and data theft.
  4. Use tools to gain and control access to data. Attackers can use a program like WinSCP5 to encrypt and extract critical files from the victims’ networks.
  5. Upload stolen data to a server they control. Some examples include MEGA.NZ, cloud storage and file sharing service.
  6. Display a ransom message on the victims’ screens. These messages typically contain information on how to pay the ransom and what happens if the targets don’t pay.

PYSA first appeared in March 2021 and reached its peak in November 2021. PYSA ransomware attacks have grown by 50% for organizations and increased a staggering 400% in the government sector.

RegionPYSA Ransomware Attacks in November 2021
Examples of malware: This table breaks down the number of PYSA-related ransomware attacks that occurred in November 2021.

According to the NCC Group, the operators behind PYSA ransomware will continue their operations in 2022 also and will likely exploit the Log4Shell vulnerability, too.

The FBI has urged victims not to pay the ransom and register the complaints to the Internet Crime Complaint Center (IC3).

Malware Example 5: TrickBot Trojan + Botnet

Last on our list of examples of malware is another unique variety. TrickBot malware first appeared in 2016, and was taken down in 2020. But it reappeared in 2021 and is still active in 2022. By December 2021, this malware had infected about 140,000 victims across 149 countries. But what is TrickBot and why is it such a problem?

TrickBot is a unique combination of ransomware, trojan, and botnet. It targets victims via phishing emails with attachments disguised as:

  • Invoices
  • Traffic violation notifications
  • Greetings cards
  • Information regarding the COVID-19 pandemic

Once users download the malicious macro-laden documents, they are encouraged to enable macros, which executes JavaScript code and downloads the TrickBot binary from an external server. Then, the TrickBot can:

  • Deliver other dangerous malware like Emotet, Ryke, and Conti ransomware
  • Use victims’ devices for cryptomining, ransomware and botnet attacks
  • Bypass Windows User Account Control (UAC), change device settings and download malicious plugins
  • Redirect victims to fake banking sites to trick them into inputting their login credentials
  • Steal credentials through form-grabbers
  • Deploy credential stuffing attacks

TrickBot is difficult to detect because it disables antivirus protection like Windows Defender. It also encrypts its communication with the C&C server, hides DNS traffic, and erases all evidence from the victim’s network to prevent discovery.

In Checkpoint’s Global Threat Index for February 2021, TrickBot was recognized as the number one most dangerous malware active at the time.

Final Thoughts on These 2021 Examples of Malware

As you might have noticed in all our examples of malware, attackers either use social engineering tricks or exploit unpatched vulnerabilities to deploy their attacks. If you’re a business owner, it’s crucial to invest in vulnerability management and cybersecurity training for all your employees. As individuals, we can make sure we know how to detect and mitigate phishing attacks and social engineering scams. Many, if not all, malware attacks can be avoided if we know what to look for and stay vigilant while surfing online.

About the author

Medha is a regular contributor to InfoSec Insights. She's a tech enthusiast and writes about technology, website security, cryptography, cyber security, and data protection.