Malware Classification

Ransomware

• Ransomware is a type of malware that encrypts a victim’s data until a

payment is made to the attacker. If the payment is made, the victim
receives a decryption key to restore access to their files. If the ransom
payment is not made, the threat actor publishes the data on data leak
sites (DLS) or blocks access to the files in perpetuity.
• Ransomware remains one of the most profitable tactics for cybercriminals.
According to CrowdStrike’s annual Global Security Attitude Survey, the
average ransom payment is $1.79 million.
 How a Ransomware Attack Works

• Step 1. Infection: Ransomware operators often using phishing emails

and social engineering techniques to infect their victim’s computer. In
most cases, the victim ends up clicking a malicious link in the email,
introducing the ransomware variant on their device.
• Step 2. Encryption: After a device or system has been infected,
ransomware then searches for and encrypts valuable files. Depending
on the variant, the malicious software may find opportunities to spread
to other devices and systems across the organization.
• Step 3. Ransom Demand: Once the data has been encrypted, a
decryption key is required to unlock the files. In order to get the
decryption key, the victim must follow the instructions left on a ransom
note that outline how to pay the attacker – usually in Bitcoin.
 Types of Ransomware

• Encrypting Ransomware: In this instance the ransomware systematically encrypts files on

the system’s hard drive, which becomes difficult to decrypt without paying the ransom for
the decryption key. Payment is asked for using BitCoin, MoneyPak, PaySafeCard, Ukash or
a prepaid (debit) card.
• Screen Lockers: Lockers completely lock you out of your computer or system, so your files
and applications are inaccessible. A lock screen displays the ransom demand, possibly
with a countdown clock to increase urgency and drive victims to act.
• Scareware: Scareware is a tactic that uses popups to convince victims they have a virus
and directs them to download fake software to fix the issue
• Example:
• CryptoLockerCryptoLocker ransomware was revolutionary in both the number of systems
it impacted and its use of strong cryptographic algorithms. The group primarily leveraged
their botnet for banking-related fraud.
• WannaCryWannaCry has targeted healthcare organizations and utility companies using a
Microsoft Windows exploit called EternalBlue, which allowed for the sharing of files, thus
opening a door for the ransomware to spread.
 Fileless Malware

• Fileless malware is a type of malicious activity that uses native, legitimate tools
built into a system to execute a cyber attack. Unlike traditional malware, fileless
malware does not require an attacker to install any code on a target’s system,
making it hard to detect.
• This fileless technique of using native tools to conduct a malicious attack
is sometimes referred to as living off the land or LOLbins
 Common Fileless Malware Techniques

• While attackers don’t have to install code to launch a fileless malware attack,
they still need to get access to the environment so they can modify its native
tools to serve their purposes. Access and attacks can be accomplished in
several ways, such as through the use of:
• Exploit kits
• Hijacked native tools
• Registry resident malware
• Memory-only malware
• Fileless ransomware
• Stolen credentials
 Exploit kits

• Exploits are pieces of code, sequences of commands, or collections of data,

and exploit kits are collections of exploits. Adversaries use these tools to take
advantage of vulnerabilities that are known to exist in an operating system or
an installed application.
• Exploits are an efficient way to launch a fileless malware attack because they
can be injected directly into memory without requiring anything to be written
to disk. Adversaries can use them to automate initial compromises at scale.
• An exploit begins in the same way, regardless of whether the attack is fileless
or uses traditional malware. Typically, a victim is lured through a 
phishing email or social engineering. The exploit kit usually includes exploits
for a number of vulnerabilities and a management console that the attacker
can use to control the system. In some cases, the exploit kit will include the
ability to scan the targeted system for vulnerabilities and then craft and
launch a customized exploit on the fly.
 Registry resident malware

• Registry resident malware is malware that installs itself in the Windows

registry in order to remain persistent while evading detection.Commonly,
Windows systems are infected through the use of a dropper program that
downloads a malicious file. This malicious file remains active on the targeted
system, which makes it vulnerable to detection by antivirus software. Fileless
malware may also use a dropper program, but it doesn’t download a
malicious file. Instead, the dropper program itself writes malicious code
straight into the Windows registry.
• The malicious code can be programmed to launch every time the OS is
launched, and there is no malicious file that could be discovered – the
malicious code is hidden in native files not subject to AV detection.
• The oldest variant of this type of attack is Poweliks, but many have emerged
since then, including Kovter and GootKit. Malware that modifies registry keys
is highly likely to remain in place undetected for extended periods of time.
 Memory-only malware

• Memory-only malware resides only in memory. An example of memory-only malware is the

Duqu worm, which can remain undetected because it resides exclusively in memory. Duqu
2.0 comes in two versions; the first is a backdoor that allows the adversary to gain a foothold
in an organization. The adversary can then use the advanced version of Duqu 2.0, which
offers additional features such as reconnaissance, lateral movement and data exfiltration.
Duqu 2.0 has been used to successfully breach companies in the telecom industry and at
least one well-known security software provider.
Fileless ransomware
• Adversaries do not limit themselves to one type of attack. They use any
technology that will help them capture their payload. Today, ransomware
attackers are using fileless techniques to embed malicious code in documents
through the use of native scripting languages such as macros or to write the
malicious code directly into memory through the use of an exploit. The 
ransomware then hijacks native tools like PowerShell to encrypt hostage files
without ever having written a single line to disk.
 Stolen credentials

• Attackers may commence a fileless attack through the use of stolen credentials so
they can access their target under the guise of a legitimate user. Once inside, the
attacker can use native tools such as Windows Management Instrumentation
(WMI) or PowerShell to conduct their attack. They can establish persistence by
hiding code in the registry or the kernel, or by creating user accounts that grant
them access to any system they choose.
 Spyware Definition

• Spyware is a type of malware that covertly infects a computer or mobile device and collects
sensitive information like passwords, personal identification numbers (PINs), and payment
information. The information is then sent to advertisers, data collection firms, or malicious
third parties for a profit.
• Spyware is one of the most common threats on the internet. It was more commonly
installed in  Windows desktop browsers, but has evolved to operate on Apple computers
and mobile phones as well. Mobile spyware attacks have become much more common and
advanced as people rely on their phones to conduct banking activities and access other
sensitive information. However, not all software that tracks online activity is malicious. For
example, some website tracking cookies can serve as a legitimate function to customize a
user’s website experience by remembering login information.
• Anyone can be a target of spyware. Authors of spyware do not typically target a specific
person like a spear phishing attack would. Spyware authors prioritize the information they
can gather rather than who it is from, so spyware attacks try to collect as many victims as
possible.  Since spyware typically runs in the background of the operating system, it is
difficult to detect and even harder to mitigate without advanced security tools and
solutions.
 Types of Spyware

• There are several types of spyware. While all spyware programs share the common goal of
stealing personal information, each uses unique tactics to do so.
• 1. Adware
• Adware tracks a user’s web surfing history and activity to optimize advertising efforts. Although
adware is technically a form of spyware, it does not install software on a user’s computer or
capture keystrokes. Thus, the danger in adware is the erosion of a user’s privacy since the data
captured by adware is accumulated with data captured about the user’s activity elsewhere on
the internet. This information is then used to create a profile that can be shared or sold to
advertisers without the user’s consent.
• 2. Trojan
• A trojan is a digital attack that disguises itself as desirable code or software. Trojans may hide in
games, apps or even software patches. They may also be embedded in attachments in phishing
emails. Once downloaded by users, trojans can take control of victims’ systems for malicious
purposes such as deleting files, encrypting files or sharing sensitive information with other
parties.
• 3. Keylogger
• A keylogger is a type of spyware that monitors user activity. When installed, keyloggers can
steal passwords, user IDs, banking details and other sensitive information. Keyloggers can be
inserted into a system through phishing, social engineering or malicious downloads.
• 4. System Monitor
• A system monitor captures virtually everything the user does on the infected
computer or device. System monitors can be programmed to record all keystrokes,
the user’s browser activity and history, as well as any form of communication, such
as emails, webchats or social media activity.
• 5. RedShell
• RedShell is a type of spyware that installs itself on a device whenever specific PC
games are downloaded to track online activity. Developers use this information as
feedback to better understand their users, and improve their games and marketing
campaigns.
• 6. RootKits
• Rootkits allow attackers to easily infiltrate a system, as they are almost always
undetectable. To infiltrate a system, they either exploit security vulnerabilities or
logging as an administrator.
• 7. Tracking Cookies
• Websites, both legitimate and illegitimate, drop cookies into your device to track
users’ online activity.
 Spyware Infects Devices

• Spyware is commonly installed onto a device by the user unknowingly downloading it

themselves. It is often hidden within seemingly legitimate websites or software
through vulnerability exploits.
• Some of the most common ways spyware infects devices:
• Phishing and spoofing
• Spyware hidden within software bundles
• Trojans
• Downloading software from an unreliable source
• Downloading malicious mobile apps
• Opening email attachments or clicking links from unknown senders
• Pirating media such as movies, music, or games
• Agreeing to the terms and conditions of a program before carefully reading them
• Accepting cookie consent requests from untrusted websites
• Security vulnerabilities within a website or program
 What is adware

• Adware — or advertising supported software — is an automated, unwanted software designed to

bombard users with advertisements, banners and pop-ups.
Problems with adware mostly happen within computers, but it’s not uncommon for adware programs to
make their way onto mobile devices.
• How does adware get onto your device?
• Adware typically infects devices via downloadable content – like any shareware or freeware – that opens
the door to malicious third-party programs. These can covertly install ad software onto your device
without your knowledge.
• Program developers can make money each time an ad is displayed or clicked on, meaning even legitimate
companies can be tempted to include adware in their software.
• How do I know if I have adware on my device?
• Spotting adware shouldn’t be too difficult because it will naturally reveal itself by design. Your device may
be infected with adware if:
• You’re experiencing significant dips in speed and performance
• You become inundated with pop-up ads – even if you’re not browsing the internet
• You’re being sent ransom demands or warnings from unknown apps with urgent warnings
• You’re experiencing reduced functionality (sometimes adware hinders access to your tools and device
settings)
• You notice the sudden appearance of new browser add-ons and toolbars – likely without your permission
• You find your devices keep crashing
• A Trojan Horse (Trojan) is a type of malware that disguises itself as legitimate code
or software. Once inside the network, attackers are able to carry out any action
that a legitimate user could perform, such as exporting files, modifying data,
deleting files or otherwise altering the contents of the device. Trojans may be
packaged in downloads for games, tools, apps or even software patches. Many
Trojan attacks also leverage social engineering tactics, as well as spoofing and 
phishing, to prompt the desired action in the user.
• A Trojan is sometimes called a Trojan virus or Trojan horse virus, but those terms
are technically incorrect. Unlike a virus or worm, Trojan malware cannot replicate
itself or self-execute. It requires specific and deliberate action from the user.
• Trojans are malware, and like most forms of malware, Trojans are designed to
damage files, redirect internet traffic, monitor the user’s activity, steal sensitive
data or set up backdoor access points to the system. Trojans may delete, block,
modify, leak or copy data, which can then be sold back to the user for ransom or
on the dark web.
 Trojan Malware

• Trojans are a very common and versatile attack vehicle for cybercriminals. Here we
explore 10 examples of Trojans and how they work:
• Exploit Trojan: As the name implies, these Trojans identify and exploit
vulnerabilities within software applications in order to gain access to the system.
• Downloader Trojan: This type of malware typically targets infected devices and
installs a new version of a malicious program onto the device.
• Ransom Trojan: Like general ransomware, this Trojan malware extorts users in
order to restore an infected device and its contents.
• Backdoor Trojan: The attacker uses the malware to set up access points to the
network.
• Distributed Denial of Service (DDoS) attack Trojan: Backdoor Trojans can be
deployed to multiple devices in order to create a botnet, or zombie network, that
can then be used to carry out a DDoS attack. In this type of attack, infected devices
can access wireless routers, which can then be used to redirect traffic or flood a
network.
• Fake AV Trojan: Disguised as antivirus software, this Trojan is actually
ransomware that requires users to pay fees to detect or remove
threats. Like the software itself, the issues this program claims to
have found are usually fake.
• Rootkit Trojan: This program attempts to hide or obscure an object
on the infected computer or device in order to extend the amount of
time the program can run undetected on an infected system.
• SMS Trojan: A mobile device attack, this Trojan malware can send
and intercept text messages. It can also be used to generate revenue
by sending SMS messages to premium-rate numbers.
• Banking Trojan or Trojan Banker: This type of Trojan specifically
targets financial accounts. It is designed to steal data related to bank
accounts, credit or debit cards or other electronic payment platforms.
• Trojan GameThief: This program specifically targets online gamers
and attempts to access their gaming account credentials.
 Rootkit Malware

• Rootkit malware is a collection of software designed to give malicious actors

control of a computer network or application. Once activated, the malicious
program sets up a backdoor exploit and may deliver additional malware, such
as ransomware, bots, keyloggers or trojans. Rootkits may remain in place for
years because they are hard to detect, due in part to their ability to block
some antivirus software and malware scanner software.
 Types of Rootkits

• Known rootkits can be classified into a few broad families, although there are many
hybrids as well. The main families are:
• Firmware Rootkits
• A firmware rootkit targets the software that runs particular hardware components by
storing themselves on the software that runs during the boot process before the
operating system starts up. They are especially stealthy because they can persist
through reinstallation of the operating system.
• The use of firmware rootkits has grown as technology has moved away from hard-
coded BIOS software and toward BIOS software that can be updated remotely. Cloud
computing systems that place multiple virtual machines on a single physical system
are also vulnerable.
• Examples of firmware rootkits include:
• UEFI rootkit
• Cloaker
• VGA rootkit
• Kernel Mode Rootkits
• A kernel mode rootkit is a sophisticated piece of malware that can add new code to the
operating system or delete and edit operating system code. They are complicated to create,
and if a kernel rootkit is buggy, it will heavily impact the target computer’s performance. On
the bright side, a buggy kernel rootkit will leave a trail of breadcrumbs that antivirus solutions
will detect.
• Examples of kernel mode rootkits include:
• Spicy Hot Pot
• FU
• Knark
• Bootloader Rootkits
• Bootloader rootkits boot up concurrently with the operating system and target the Master
Boot Record (MBR), which is the first code executed when starting up a computer, or the
Volume Boot Record (VBR), which contains the code needed to initiate the boot process or the
code for loading an operating system or application. By attaching itself to one of these types of
records, a bootloader rootkit will not appear in a standard file system view and will be difficult
for an antivirus or rootkit remover to detect.
• Examples of bootloader rootkits include:
• Stoned Bootkit
• Olmasco
• Rovnix
• Virtualized rootkits
• Unlike kernel mode rootkits, which boot up at the same time the targeted system boots
up, a virtualized rootkit boots up before the operating system boots up. Virtualized
rootkits take hold deep in the computer and are extremely difficult – or even impossible –
to remove.
• User Mode Rootkits
• User mode rootkits modify the behavior of application programming interfaces. They can
display false information to administrators, intercept system calls, filter process output
and take other actions to hide their presence. However, because user mode rootkits
target applications rather than operating systems or other critical processes, they do leave
breadcrumbs that trigger antivirus and rootkit remover alerts and they are not as hard to
remove as some other types of rootkit malware.
• Examples of user mode rootkits include:
• Vanquish
• Hacker Defender
• Aphex
• Memory Rootkits
• Memory rootkits load into the RAM, so they persist only until the RAM is cleared when
the system is restarted. While active, their malicious activities consume the targeted
system’s resources and thus reduce the performance of its RAM memory.
• Definition of Keyloggers
• Keyloggers are tools that can record every keystroke that you type into
a computer or mobile keyboard. Because you interact with a device
primarily through the keyboard, keyloggers can record a lot of
information about your activity. For example, keyloggers can track
credit card information that you enter, websites you visit and
passwords you use.
• Keyloggers aren’t always used for illegal purposes. Consider the
following examples of legal uses for keylogging software:
• Parents might use a keylogger to monitor a child’s screen time.
• Companies often use keylogger software as part of 
employee monitoring software to help track employee productivity.
• Information technology departments can use keylogger software to
troubleshoot issues on a device.
• While there are legal uses for keyloggers, malicious users commonly
use keyloggers to monitor your activity and commit cybercrimes.
 Botnet

• A botnet is a network of computers infected with malware that are controlled

by a bot herder. The bot herder is the person who operates the botnet
infrastructure and uses the compromised computers to launch attacks
designed to crash a target’s network, inject malware, harvest credentials or
execute CPU-intensive tasks. Each individual device within the botnet network
is called a bot.
 Types of Botnet Attacks

• Once an adversary is in control of a botnet, the malicious possibilities are extensive. A botnet can be used
to conduct many types of attacks, including:
• 1. Phishing
• Botnets can be used to distribute malware via phishing emails. Because botnets are automated and
consist of many bots, shutting down a phishing campaign is like playing a game of Whack-A-Mole.
• 2. Distributed Denial-of-Service (DDoS) attack
• During a DDoS attack, the botnet sends an overwhelming number of requests to a targeted server or
application, causing it to crash. Network layer DDoS attacks use SYN floods, UDP floods, DNS amplification,
and other techniques designed to eat up the target’s bandwidth and prevent legitimate requests from
being served. Application-layer DDoS attacks use HTTP floods, Slowloris or RUDY attacks, zero-day attacks
 and other attacks that target vulnerabilities in an operating system, application or protocol in order to
crash a particular application.
• Many will remember the massive Mirai botnet DDoS attack. Mirai is an IoT botnet made up of hundreds of
thousands of compromised IoT devices, which in 2016, took down services like OVH, DYN, and Krebs on
Security.
• 3. Spambots
• Spambots harvest emails from websites, forums, guestbooks, chat rooms and anyplace else users enter
their email addresses. Once acquired, the emails are used to create accounts and send spam messages. 
Over 80 percent of spam is thought to come from botnets.
 Mobile Malware Definition

• Mobile malware is malicious software specifically designed to target mobile

devices, such as smartphones and tablets, with the goal of gaining access to
private data.
Although mobile malware is not currently as pervasive as malware that attacks
traditional workstations, it’s a growing threat because many companies now allow
employees to access corporate networks using their personal devices, potentially
bringing unknown threats into the environment.
 Types of Mobile Malware

• Cybercriminals use various tactics to infect mobile devices. If you’re focused on improving your
mobile malware protection, it’s important to understand the different types of mobile malware
threats. Here are some of the most common types:
• Remote Access Tools (RATs) offer extensive access to data from infected victim devices and are
often used for intelligence collection. RATs can typically access information such as installed
applications, call history, address books, web browsing history, and sms data. RATs may also be used
to send SMS messages, enable device cameras, and log GPS data.
• Bank trojans are often disguised as legitimate applications and seek to compromise users who
conduct their banking business — including money transfers and bill payments — from their mobile
devices. This type of trojan aims to steal financial login and password details.
• Ransomware is a type of malware used to lock out a user from their device and demand a
“ransom” payment — usually in untraceable Bitcoin. Once the victim pays the ransom, access codes
are provided to allow them to unlock their mobile device.
• Cryptomining Malware enables attackers to covertly execute calculations on a victim’s device
– allowing them to generate cryptocurrency. Cryptomining is often conducted through Trojan code
that is hidden in legitimate-looking apps.
• Advertising Click Fraud is a type of malware that allows an attacker to hijack a device to generate
income through fake ad clicks.
 Worms

• Worms target vulnerabilities in operating systems to install themselves into

networks. They may gain access in several ways: through backdoors built
into software, through unintentional software vulnerabilities, or through
flash drives. Once in place, worms can be used by malicious actors to
launch DDoS attacks, steal sensitive data, or conduct ransomware attacks.
• Worm Example:
• Stuxnet was probably developed by the US and Israeli intelligence forces
with the intent of setting back Iran’s nuclear program. It was introduced
into Iran’s environment through a flash drive. Because the environment
was air-gapped, its creators never thought Stuxnet would escape its
target’s network — but it did. Once in the wild, Stuxnet spread aggressively
but did little damage, since its only function was to interfere with industrial
controllers that managed the uranium enrichment process.
 Wiper Malware

• A wiper is a type of malware with a single purpose: to erase user data

and ensure it can’t be recovered. Wipers are used to take down
computer networks in public or private companies across various
sectors. Threat actors also use wipers to cover up traces left after an
intrusion, weakening their victim’s ability to respond.
• Wiper Malware Example:
• On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported
to have been deployed against Ukrainian targets. The incident is
widely reported to contain three individual components deployed by
the same adversary, including a malicious bootloader that corrupts
detected local disks, a Discord-based downloader and a file wiper. The
activity occurred at approximately the same time multiple websites
belonging to the Ukrainian government were defaced.