Threat Research Report Team

Quarterly Threat Bulletin: Q4 of 2021

Written by Uptycs Threat Research | Feb 25, 2022 9:33:25 PM

The Uptycs threat research team regularly monitors the TTPs (tactics, techniques and procedures) of the latest malware using our threat intelligence sources and systems. Organisations can use this bulletin as a tool to evaluate and form a more robust detection and protection posture against the latest threats in Windows, Linux and macOS platforms.

 

The threat bulletin covers several aspects, such as:

  1. Techniques used by the malware samples in our threat intel sources
  2. Commonly abused commands and utilities in Windows, Linux and macOS platforms
  3. Top prevalent malware families in the wild for Windows, Linux and macOS platforms
  4. Uptycs Threat Research articles published by the threat research team
  5. Threat actors observed for the quarter
  6. Malware/targeted attacks for the quarter
  7. Vulnerabilities/exploits in Windows, Linux and macOS platforms
  8. General recommendations based on our observations

 

The key highlights of our recently published Q3 threat bulletin are:

  1. In this quarter, we have observed the following prevalent malware
    1. Formbook and IcedID are the prevalent malware in Q4 for Windows platforms, taking that spot from Loki and Warzone RAT in Q3
    2. Tsunami and Mirai were seen in large numbers in Q4 mainly due to the log4j post exploitation attempts 
    3. Shlayer continues its evergreen in action on macOS.
  2. Regsvr32.exe and Rundll32.exe are the most abused utilities for Windows platform and Crontab has been observed for Linux platform
  3. Apache Log4j, was plagued with a series of vulnerabilities (CVE-2021-45105, CVE-2021-45046, CVE-2021-44832, CVE-2021-44228) during the month of December 2021. These vulnerabilities were leveraged by threat actors to deploy different malicious payloads in the vulnerable machines
  4. Threat actor activity of MuddyWater, BlackByte, MosesStaff and Lazarus have been reported.
  5. We identified attackers deploying malicious container images on Docker Hub for performing coin mining operations.
  6. We came across reports on the return of the infamous Emotet malware.

 

An excerpt of the Commonly abused commands and utilities in Windows, Linux and macOS platforms (during October - December 2021) is shown below.

 

 

For a more detailed report of our key highlights of the Q4 Threat Bulletin, click below to download the report.