It’s no secret that malware is a huge problem, whether it be an infected laptop that you use for home banking and watching Netflix, all the way to multi-million-pound organizations that store customer credit card and banking details. But what happens once a machine is infected with malware? The answer to that question depends on what type of malware has infected the device as there are different types of malware that each have their own malicious characteristics.
This article will outline the various types of malware and explain what they are designed to do.
Viruses & Worms
Viruses are a common type of malware that often impact the performance of an infected device. A virus is a generic term for a piece of malware that is able to replicate itself across the filesystem. A virus needs to be manually started either by the user or by infecting a running application on the device.
Whereas a virus requires user interaction in order to start running, a worm can be much more problematic as it is able to spread to other computers and networks automatically without the need for user interaction. This can be an issue within a corporate network as multiple servers and critical devices could be infected as the worm enumerates network shares and uses these to move laterally around the network.
Worm Example - WannaCry
Wannacry malware had a huge impact when it was released as it was able to spread automatically by searching for public-facing SMB ports. This posed a huge threat to many organizations around the world as SMB shares were used to legitimately share files and data.
Malware will largely try to evade detection as it doesn’t want the user to know their device has been infected. However, if you have been infected with adware then you will know about it due to the large volume of adverts you will see on your device. These will be displayed on your browsers and via annoying pop-ups.
Adware Example - DeskAd
DeskAd is a piece of adware that once it has a foothold on a device will gradually ramp up the number of browser adverts it displays and redirect your network traffic to malicious websites.
Spyware will collate private data from your device such as your browsing history, location, passwords, and purchases. This information can then be sold to third-party advertisers or used to commit banking fraud using the data that has been exfiltrated
Spyware Example - Pegasus
Pegasus Spyware was developed by the NSO Group, an Israeli firm whose spyware is reported to target iPhones. What makes this spyware particularly invasive is that has been designed to allow access to the device’s camera and microphone.
Ransomware has become a huge problem over recent years and has made multi-million-pound revenues for the groups that write and design this type of malware.
Like most malware, ransomware is often distributed via email disguised as something innocent such as a word document or PDF file. The file is then launched by the unwitting user not realizing the true intent of the attachment.
Unlike most malware that tries to evade detection, Ransomware wants the user to know the device has been compromised. If no ransomware protection is in place, It will begin by deleting any available backups and then begin to encrypt all files on disk so that they become inaccessible.
As the backups have been deleted the ransomware will then display a message advising that all files have been encrypted and the only way to retrieve your data is to pay the bad guys a ransom. This is often in Bitcoin and will include instructions on how to access the dark web using a Tor browser and provide details on how to make the required payment.
If payment is made then the bad guys advise they will provide the decryption keys so that the data can be decrypted.
Ransomware Examples - BlackMatter, Netwalker, Cerber
Blackmatter ransomware appears to be an amalgamation of the REvil and darkside groups, these groups are two of the most prolific ransomware groups of 2020 and 2021. They have been attributed to landmark attacks against Colonial Pipeline and JBS as well as the infamous Travelex incident that saw the organization and their customers suffering disruption for months.
Netwalker ransomware created by the cybercrime group known as "Circus Spider" in 2019. Circus Spider is one of the newer members of the "Mummy Spider" cybercriminal group. On the surface, Netwalker acts like most other ransomware variants, establishing an initial foothold through phishing emails, followed by exfiltrating and encrypting sensitive data to hold hostage for a large ransom.
Unfortunately, Netwalker does more than hold the victims’ data hostage. To show they are serious, Circus Spider will leak a sample of the stolen data online, claiming that if the victim does not meet their demands in time, they will release the rest on the dark web. Circus Spider leaked one victim’s sensitive data onto the dark web in a password-protected folder and published the key online.
The images below show a device I have infected with Cerber Ransomware and illustrate the ransom warnings that are delivered to the user.
Keylogging functionality can be especially valuable to malware authors as it will log any keystrokes. So if a password has been typed or bank details have been entered to make a purchase then the malware will have captured this information and transferred it to the bad guys so that they can then reuse this information.
Keylogger Example - Remcos
The image below shows a tool called Process Hacker being run on a machine I have built to safely detonate malware, in this example, I have detonated a piece of malware called Remcos. Process Hacker allows a malware analyst to identify indicators of compromise (IOC) from the memory of a running malware process.
In this image, we can see some key IOC such as IP addresses, however there are also strings that provide evidence that Remcos is keylogging user activity.
We can actually see that the malware has started a keylogger, ‘ne Keylogger Started! }’ and the location that the keylogger is storing the keystrokes on disk, ‘Users\Admin\AppData\Roaming\remocs\logs.dat’.
By navigating to that location on disk we can open the log used to record keystrokes using a text editor such as notepad:
Trojans & RATs
Trojans take their name from the historical trojan horse. The reason being is that trojan malware will often be disguised as software that may be appealing to a user, such as a game or in some cases even antivirus software!
This increases the likelihood that the malware will be installed on a device, the software will often appear to look legitimate however the malware will be running in the background.
This will often result in giving the bad guys remote access to the compromised device, these types of trojans are known as remote access trojans (RAT). This allows the attacker to remotely access the device it has compromised and exfiltrate any data they find on the filesystem.
Trojan & RAT Examples - Emotet, Zeus
After the famous shutdown of its infrastructure by Europol, Emotet malware has seen a recent surge in activity showing that the group behind this malware have not disappeared altogether. This infamous RAT has been around for a number years and has been a prevalent problem for organizations around the world. Over the years the malware has been developed and is often used to deliver additional payloads such as Trickbot malware.
Although it has evolved and been developed over the years, the Zeus Banking Trojan would target data stored within installed web browsers such as banking information and stored credentials. These would then be exfiltrated by the malware so that they could be used or sold via the dark web.
The previous malware types that I have covered all target the device’s operating system. However a common feature of a Rootkit is that it will target the underlying kernel of the operating system, this makes Rootkits particularly clever. By targeting the kernel, the layer between the operating system and the hardware of a device, it can be highly evasive and hard to detect by antivirus solutions as the AV solution will run on the overarching OS rather than the underlying kernel.
Rootkit Example - Necurs
The Necurs rootkit has been around since 2012 and was a prevalent force used for large-scale email campaigns that would distribute malware.
A compromised device known as a bot is used to execute commands and tasks automatically. Once infected with this type of malware then the device, now known as a bot, will automatically call out to the bad guy’s infrastructure known as a C2. This is short for command and control as the attacker now has control of this device and is able to issue commands that will be executed on the device.
Attackers deploying this type of malware will look to deploy it to thousands of devices that are collectively known as a botnet. This then allows the attacker to generate traffic from each device and create targeted DDoS attacks using the botnet infrastructure they have amassed.
Botnet Example - Mirai
Mirai malware is a famous botnet that was used to infect IoT devices (Internet of Things). This became a problem when household objects such as fridges and coffee makers were given wifi functionality with little to no authentication. Security was not originally a priority for these products, meaning that anybody could authenticate and connect to these devices. The malware authors behind Mirai took advantage of this lapse in security and these devices became infected with Mirai and used for malicious activity such as DDoS attacks.
Fileless malware most commonly uses PowerShell to execute attacks on your system without leaving any traces. This type of attack is also known as a zero-footprint attack and can be particularly hard to detect because it does not rely on infiltrating external malicious (and detectable) binaries into your systems.
Fileless Malware Example - PowerSploit
Attacker tools based on PowerShell are readily available and used by threat actors. PowerSploit is a collection of PowerShell modules which each contain a unique set of scripts that can be used in multiple phases of an attack to perform recon, escalate privileges and move laterally.
Prevention & Mitigation
For an organization to be protected from the latest malware threats traditional AV solutions are no longer enough to protect an organization. The reason for this is that these types of security solutions rely on a signature-based detection of the malware. This means that the AV vendor is reliant on having an up-to-date database of the malware samples they have identified and can detect. If a new sample comes out and they don’t have a signature for it then the AV cannot block the malware.
EDR (Endpoint Detection and Response) solutions are now a much stronger and preferred method of preventing and mitigating malware attacks against an organization. An EDR solution continually monitors all the running processes, network connections, registry changes, and behavior of a device to ensure that it is protected from the various malware threats I have identified in this article. This machine learning-based approach means that if a piece of malware does hit the filesystem of a device undetected then it is unlikely to successfully infect a device to die the behavior it will then exhibit.
The most common threat vector for malware is via email, user awareness is key to recognizing and preventing employees from opening malicious emails however it happens. A common technique is to leverage malicious word documents as people will often receive word documents in their email at work so they are more likely to be opened by an end-user. Malicious word documents will often contain macros that run scripts in the background that download malware to the now compromised device.
Leveraging an EDR solution would detect the macros being loaded, identify the script being run and where it is connecting to, and stop the macros from running.
This type of in-depth and behavior-based analysis is key to protecting an organization from the latest malware threats.
This article should hopefully give you a strong foundation of knowledge regarding the various types of malware that are being designed and released by malware authors.
If you found this article informative then be sure to check out some of my other malware-related articles that cover some of my favorite malware analysis tools and a recent piece I completed on Autoruns which is a great tool for identifying how malware will attempt to persist on a compromised device.
If you would like more information on how to protect your organization from malware then this post on malware protection will be of interest along with Varonis’ Data Security Platform that can be implemented to find, monitor, and protect sensitive data at scale.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Neil is a cyber security professional specializing in incident response and malware analysis. He also creates cyber security content for his YouTube channel and blog at 0xf0x.com.