Skip to content

Malware and Attacker tooling

links: TOC - Actors & Tools & Attacks - Index

Malware

Malware, short for malicious software, refers to software designed to infiltrate or damage computer systems without the owner’s informed consent. It encompasses a variety of forms, including viruses, worms, trojans, ransomware, and spyware. Once malware has compromised a system, attackers can often fully control it, performing actions that align with their goals.

Key Components and Payloads of Malware

The components and payloads of malware refer to the functionalities and harmful actions malware can perform once it has infiltrated a system. The term payload generally refers to the part of malicious code that performs the destructive operation. These include:

Information Theft: Malware can steal sensitive information such as passwords, personal data, financial information, and login credentials. Techniques include:

  • Password stealers
  • Keylogging (capturing passwords, chats)
  • Intercepting browser information (passwords, cookies, one-time passwords)
  • Taking screenshots
  • Capturing emails and email addresses
  • Extracting files from disk
  • Recording audio and video streams

Information Storage and Modification: Malware can modify or store data for malicious purposes. Examples include:

  • Data encryption (ransomware)
  • Storing illegal data or software
  • Modifying payment information in e-banking transactions (transaction generators)

Abuse of Computing Resources: Malware can exploit the system's resources for malicious activities such as:

  • Using the system as a proxy
  • Sending spam
  • Conducting click fraud
  • Launching DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks

Propagation Methods: Malware can spread through various channels, including:

  • Network shares
  • USB drives
  • Email attachments
  • Exploiting network vulnerabilities
  • Network-based spreading via remote exploits, open ports, and password guessing

Auxiliary Components that Enhance Malware Effectiveness

  • Communication (C2): Malware often communicates with Command and Control (C2) servers to receive instructions and exfiltrate data. Common protocols used include HTTP, HTTPS, DNS, and Tor.
  • Persistence: Persistence techniques ensure malware remains active on a system even after reboots. Without persistence, attackers would need to repeatedly reinfect the victim, which is both costly and unpredictable.
  • Stealth and Self-defense: Modern malware employs techniques to evade detection and analysis. This includes packing to avoid antivirus detection, hiding its presence, and disabling security features on the infected system.
  • Propagation: The goal of propagation is to infect additional machines within the victim's network. This can be achieved through network exploits, shared folders, or infecting USB drives. Effective propagation can significantly expand the infection footprint and help the malware reach its ultimate target.

Malware components

malware_components.png

Malware Families

Malware families refer to groups of related malware variants that share common characteristics and often derive from the same codebase. These families are named by security analysts who discover and categorize them. Examples of well-known malware families include Zeus, Trickbot, and APT28.

  • Evolution and Releases: Like any software project, malware evolves over time, with new versions and releases. This evolution can result in multiple variants within a single family.
  • Forks and Variants: When malware source code is leaked or shared, different developers may create forks, leading to independent versions. This makes it challenging to track and categorize malware accurately.
  • Tracking and Analysis: Comprehensive resources like Malpedia document thousands of malware families, aiding cybersecurity professionals in identifying and responding to threats. By linking malware samples to specific families, analysts can infer the capabilities and potential actions of the malware.

Attacker Tooling

Attacker tooling involves the use of sophisticated tools and frameworks to facilitate cyberattacks. These tools range from simple scripts to complex command and control (C2) frameworks that manage large-scale operations.

  • Hacking Tools and C2 Frameworks: C2 frameworks, such as Cobalt Strike, are used to emulate cyber-attacks and manage malware payloads. These frameworks allow attackers to control compromised systems, deploy additional payloads, and automate attack processes. C2 frameworks are dual-use tools, used by both security professionals for legitimate purposes and by cybercriminals.

  • OSINT Resources: Open Source Intelligence (OSINT) resources are crucial for tracking and understanding the tools and techniques used by attackers. Platforms like Malpedia and the MITRE ATT&CK framework provide comprehensive databases of malware families, attack techniques, and the actor groups that use them. These resources help cybersecurity professionals anticipate and mitigate threats by linking malware to specific actors and understanding their methods and goals.

links: TOC - Actors & Tools & Attacks - Index