Whats & Hows of Malware
Malware – malicious software that allows unauthorized access to a network/end device for the purpose of theft, sabotage or espionage. There are many types of malware and attacks which use a combination of several types of malware to achieve their goals. Typically, the attacker introduces them to the network via phishing link, malicious attachments, or malicious downloads. But they can also be introduced via social engineering or flash drives. In the text, we describe the most popular types of malware, along with examples.
Fileless Malware
Fileless malware doesn’t install anything initially. Instead it makes changes to files native to the operating system like PowerShell or WMI. Since the operating system recognizes the edited files as legitimate, antivirus software does not intercept a fileless attack, and since the attacks are hidden, they are up to ten times more effective than traditional malware attacks.
EXAMPLE: Astaroth is a fileless malware campaign that spammed users with links to a file with the abbreviation .LNK. When users downloaded the file, the WMIC utility was launched along with many other legitimate Windows utilities. These tools which downloaded additional codes that was only executed in memory, leaving no traces that could be detected by the vulnerability scanners. The attacker then downloaded and launched a Trojan that stole the credentials and sent them to a remote server.
Ransomware
Software that uses encryption to prevent a user from accessing their data until a ransom is paid. The victims organization is partially or completely incapable of operating until it pays. But there is no guarantee that the payment will obtain the necessary decryption key or that the provided decryption key will work properly.
EXAMPLE: WannaCry, an encrypting computer ransomware worm, was first released on May 12, 2017. The ransom demand ranged from $ 300 to $ 600 payable in Bitcoin cryptocurrencies. WannaCry ransomware is also known as WannaCrypt, WCry, Wana Decrypt0r 2.0, WannaCrypt0r 2.0, and Wanna Decryptor. It targets computers with outdated versions of Microsoft Windows operating systems that use the EternalBlue vulnerability in the Server Message Block (SMB) protocol. This allowed the ransomware to spread without the victim’s involvement. A group known as The Shadow Brokers stole the EternalBlue exploit from the United States National Security Agency (NSA) months before the cyberattack. The EternalBlue exploit was discovered, but not disclosed, by the NSA prior to the attack. Since then, NSA has been criticized for not disclosing this exploit to Microsoft to the public in the CVE, which could have allowed it to be patched before WannaCry. Despite the quick patching and discovery of the kill switch domain, WannaCry was able to spread to approximately 200,000 computers in 150 countries, causing damage in the hundreds of millions to billions of dollars. Much of WannaCry’s success was due to the poor patching process.
Spyware
Spyware collects information about users’ activities without their knowledge or consent. This can include passwords, pins, payment information, and unstructured messages. The use of spyware is not limited to the browser on your computer. It can also run in a critical application or on your mobile phone.
EXAMPLE : DarkHotel spyware a targeted business leaders and governments while using hotel WIFI, used several types of malware to access systems owned by certain powerful people. Once accessed, the attackers installed keyloggers to intercept target passwords and other sensitive information.
Adware
Adware tracks the user’s online activity to determine which ads are shown to them. Although adware is similar to spyware, it does not install any software on your computer or capture your keystrokes. The threat of adware is the erosion of your privacy. Data intercepted by adware is combined with data captured explicitly or covertly about your activity elsewhere on the Internet and used to build a profile of that person, including information about your friends and what they bought. where they traveled and more. This information may be shared or sold to advertisers without your consent.
EXAMPLE: An adware called Fireball infected 250 million computers and devices in 2017, hijacking browsers to alter default search engines and track web activity. However, the malware could become more than a mere nuisance. Three-quarters of them were able to remotely run code and download malicious files.
Trojan
It impersonates the desired code or software. Once downloaded by unsuspecting users, the Trojan can hijack victims’ systems for malicious purposes. Trojans can hide in games, applications, and even software patches, or they can be embedded in attachments contained in phishing emails.
EXAMPLE: Emotet is a sophisticated banking Trojan that has been around since 2014. Emotet is difficult to fight because it avoids signature-based detection, is persistent, and contains spreading modules to help it spread. The Trojan is so widespread that it is the subject of an alert from the US Department of Homeland Security.
Worms
Worms attack vulnerabilities in operating systems to install themselves on networks and spread. They can be accessed in several ways: through backdoors built into software, unintentional software flaws, or flash drives. Once deployed, worms can be used by malicious entities to launch DDoS attacks, steal sensitive data, or launch ransomware attacks.
EXAMPLE: Stuxnet was likely developed by US and Israeli intelligence forces with the intention of stopping Iran’s nuclear program. It was introduced into the environment of Iran via flash memory. Since the environment was empty, the developers never thought Stuxnet would run away from the target’s web, but it did. While in the wild, Stuxnet spread aggressively it did little damage as its only function was to interfere with the industrial controllers it managed.
Computer Virus
A virus is a piece of code that inserts itself into an application and is executed when it starts up. Once in the network, the virus can be used to steal sensitive data, launch DDoS attacks, or launch ransomware attacks.
Good to know: Viruses and Trojans
The virus cannot launch or reproduce if the application it has infected is not running. This dependency on the host application makes viruses different from Trojans, which require users to download them, and from worms that “execute” themselves. Many cases of malware fall into multiple categories: for example, Stuxnet is a worm, virus, and rootkit.
Rootkit
It is software that gives malicious actors remote control of the victim’s computer with full administrator rights. Rootkits can be placed in applications, system kernels, hypervisors or middleware. They spread through phishing access data, malicious attachments, malicious downloads, and infected shared drives. Rootkits can also be used to hide other malicious programs such as keyloggers.
EXAMPLE: Zacinlo infects systems when users download a fake VPN application. Once installed, Zacinlo performs a security check for competing malware and tries to remove it. It then opens up invisible browsers and interacts with the content like a human by scrolling, highlighting and clicking. This activity is designed to deceive behavioral analysis software. The Zacinlo payload shows up when malware clicks on ads in invisible browsers. This ad click scam gives malicious parties a reduction in commission.
Keylogger
It is a type of spyware that monitors user activity. Keyloggers are used for legal purposes; companies can use them to monitor employee activity, and families can use them to track children’s online behavior. However, when installed for malicious purposes, keyloggers can be used to steal password details, banking information, and other sensitive information. Keyloggers can be introduced into the system via phishing, social engineering, or downloaded from a website.
EXAMPLE: Olympic Vision was used to track down US, Middle East and Asian businessmen, to launch attacks on business email (BEC). Olympic Vision uses spear-phishing and social engineering techniques to infect target systems to steal sensitive data and spy on business transactions.
Bots/botnet
A bot is an application or device that performs automated tasks on the command of the controller. They are used for legitimate purposes such as search engine indexing, but when used for malicious purposes, they take the form of self-propagating malware that can connect back to a central server. Typically, bots are used in large numbers to create a botnet, which is a network of bots used to carry out wide-ranging remotely controlled waves of attacks, such as DDoS attacks. Botnets can become quite expansive. For example, the Mirai IoT botnet spanned 800,000 to 2.5 million computers.
EXAMPLE: Echobot is a variation of the well-known Mirai. Echobot targets a wide range of IoT devices by exploiting over 50 different vulnerabilities, but also includes exploits for Oracle WebLogic Server and VMWare SD-Wan networking software. Additionally, malware looks for unpatched legacy systems. Echobot can be used by malicious actors to launch DDoS attacks, disrupt supply chains, steal sensitive information from the supply chain, and carry out corporate sabotage.
Mobile Malware
Mobile malware threats are as varied as those targeting desktops, and include Trojans, ransomware, fake ad clicks, and more. They are distributed via phishing and malicious downloads which are a particular problem for jailbroken phones, which typically do not have the default security features that were part of the original operating systems of these devices. It is worth adding that this is the fastest growing group of malware.
EXAMPLE: Triada is a rooting Trojan that was injected into the supply chain when millions of Android devices were shipped with pre-installed malware. Triada accesses sensitive areas in the operating system and installs spamming applications. Spamming applications display advertisements, sometimes replacing legitimate advertisements. When a user clicks on one of the unauthorized ads, the revenue from that click goes to Triada’s developers.
The best approach to protect against malware is to use a unified set of methods. Machine learning, exploit blocking, white and black lists, and Indicators of Compromise (IOC). The recently introduced Indicators of Behavior(IoB), should be part of any organization’s anti-malware strategy.
Anyone can be affected by malware, so make sure you are protected from possible infection.