The ultimate guide to malware

Cyber Security Hub explains what malware is, how attacks using this dangerous threat vector are launched and how to mitigate those threats

Add bookmark
Olivia Powell
Olivia Powell
02/21/2023

The ultimate guide to malware

Malware is a fast-growing, ever-evolving threat to cyber security. In the first six months of 2022, over 2.8 billion malware attacks were reported worldwide. Beyond risks to their network, malware like ransomware can have real, monetary costs for businesses. In 2021, damages of ransomware alone cost US$20bn. This was a 6054 percent increase on the global cost of ransomware in 2015, which was $325mn. This is only predicted to increase, with the damages of ransomware forecasted to reach US$250bn by 2031.

The term ‘malware’ is an abbreviation of ‘malicious software’ and, according to the UK National Cyber Security Center (NCSC), “includes viruses, trojans, worms or any code or content that can damage computer systems, networks or devices”.

As the definition of malware is very broad, this article dives into the various different types of malware exploring what these types of malware do, the effect they can have on a network and how they can be mitigated or prevented. 

Contents: 

What is trojan malware?

Named for the mythical ‘trojan horse’ the Greeks used to enter the city of Troy, trojan malware is malware that masquerades as a safe or innocuous file. Once the file is downloaded, it will then start to execute malicious actions on the endpoint it is downloaded onto.

Trojan malware is used by hackers to steal victim’s bank information and eventually their money. This disruptive threat vector is on the rise, with Kapersky Software reporting that it blocked the launch of at least one type of banking malware on the devices of almost 100,000 (99,989) unique users

Banking trojans can be spread a number of ways, including via phishing links, posing as useful programs (e.g. a multi-use bank management app) or even as apps for the bank themselves.

Once these programs are downloaded by the victim, the hackers are able to run malicious programs on the victim’s device. In some cases, this will allow them to harvest the login information used for their bank account, giving them access to it. In others, it will allow them to steal bank card information via false data collection tables, asking the user to add their card details to a Google Pay account, for example. In more extreme cases, the malware penetrates the device’s network and turns on administrative access, giving hackers complete control over the device.

If hackers gain control of a device, they can read, reroute and delete text messages or calls, meaning that even if the victim has multi-factor authentication (MFA) set up, the hackers can access the one-time passcodes (OTPs) needed to bypass this security strategy. Hackers can then steal data and money from their victims without them being alerted until it is too late. 

As the actions performed by the hackers come from the victim’s device and will pass all security measure, they will seem legitimate. This means that banks may not flag some or all of the transactions made by the malicious actors as suspicious behavior. Even if the bank notices the unusual activity and attempts to alert the victim, the malware allows the malicious actor to reroute any calls or texts from the bank, and the victim will remain unaware until they next check their bank balance.

Emotet banking trojan

Emotet is a trojan banking malware so prevalent and dangerous that the US Cyber Security and Infrastructure Security Agency (CISA), the US Department of Homeland Security (DHS) National Cybersecurity and the US National Communications Integration Center (NCCIC) released a group technical alert regarding it on July 20, 2018.  

The alert warns that Emotet is one of the “most costly and destructive malware affecting [state, local, tribal, and territorial] SLTT governments” due to its ability to rapidly spread throughout networks. Emotet is launched “when a user opens or clicks the malicious download link, PDF or macro-enabled Microsoft Word document” and once in a network, it will download and spread multiple banking trojans. The alert notes that Emotet infections have cost SLTT governments up to US$1mn per infection to mitigate.

Super Mario game used to spread malware

In June 2023, it was discovered by cyber security company Cyble that an installer for popular fan-made Nintendo game, Super Mario Forever was being used to spread malware.

Malicious actors were bundling a Monero (XMR) miner, a SupremeBot mining client and an open-source Umbral stealer with a legitimate installer for Super Mario Forever to spread the malicious software.

Once installed on a device, the malware is able to secretly execute files. The XMR miner was able to use the infected device to mine for the cryptocurrency Monero, operating discreetly in its background processes to hide the unauthorized mining is from the victim.  
 
The XMR miner is also able to harvests data from the victim’s computer, including its computer name, username, graphics processing unit and central processing unit and transfers it to a command and control center.

The SupremeBot mining client is able to both retrieve and execute malicious data-stealing software on the device, unloading the Umbral stealer onto the device’s process memory. The Umbral stealer can swiftly collect and send data to the malicious actor who uploaded the Trojanized software using webhooks on the instant messaging platform Discord.

Cyble found that the Umbral stealer can execute the following processes:

  • Capturing screenshots.
  • Retrieving browser passwords and cookies.
  • Capturing webcam images.
  • Obtaining telegram session files and discord tokens.
  • Acquiring Roblox cookies and Minecraft session files. 

Malware spread using poisoned Google ads

Malicious actors have been using SEO tactics and paid Google ads to trick victims into clicking on and downloading malware.

Multiple different starins of malware, including RomCom and Bumblebee ransomware, have been found within fake advertisements for legitimate software. The software that malicious actors have been posing as to lure in victims includes OpenAI's Chat-GPT, PDF Reader Pro, Devolutions' Remote Desktop Manager, Zoom, Citrix Workspace and Cisco AnyConnect.

Once the malware is installed on the device, malicious actors are then able to execute a number of processes on the infected device, from executing more malicious files on the infected device, to running malicious programs, to exfiltrating data from the device.

Preventing a trojan malware attack

Cyber security expert and Cyber Security Hub contributor Alex Vakulov notes that the nature of trojan malware makes it difficult to remove once a device has been infected. In some cases, the only way to prevent it is to return a device to factory settings. For trojan malware, prevention is key.

“The proliferation of mobile devices has spawned a thriving underground industry for creating banking Trojans,” Vakulov explains. “This has led to a sharp increase in the number of banking Trojans and the likelihood of infection.”

Vakulov says that it is not uncommon for users to download malware from official sources such as Google Play, due to the app-checking technology not being completely foolproof. 

“While mobile security solutions can detect unauthorized app activity, it is the personal decision of each user to install a particular software on their phone,” he adds. 

To prevent trojan malware infections, users should remain vigilant by checking the validity of communications and their senders before clicking any links or downloading any attachments. The use of secure file transfer solutions can act as a preventive measure by ensuring that only files sent using trusted software are opened.

What is worm malware?

Worm malware is a type of malicious program that can self-replicate with the aim of spreading to more devices. Unlike other forms of malware, worms do not need any human or host program to run, meaning it can execute its programming itself once downloaded onto a device.

Worm malware, like many software-based threat vectors, primarily infects devices via the use of infected links and files. Social engineering is often employed to entice victims into clicking links or downloading files. This means the links may be hosted on malicious websites posing as legitimate ones, or may be sent as part of a phishing campaign, where the worm is disguised as a legitimate file type.

By itself, a worm can impact devices in a number of ways, including taking up disk space and even deleting files in order to make more copies of itself. If the worm is equipped with a payload, this can allow the malicious actors to inflict even more damage. 

Cyber security and technology journalist Dave Johnson explained to Business Insider that payloads can allow hackers to “open a backdoor to the PC for hackers or to implant additional malware to steal sensitive information like usernames and passwords, or to use the computer as part of a distributed denial-of-service (DDoS) attack”.

Raspberry Robin malware worm

Raspberry Robin was originally discovered by cyber security company Red Canary in September 2021 after noticing and tracking a cluster of activity caused by the worm.

Raspberry Robin is installed on computers via a compromised USB, which then introduces the worm to the computer’s system. The worm then goes on to read and execute a malicious file stored on a USB drive, which, if successful, downloads, installs and executes a malicious dynamic-link library file (.dll). Finally, the worm repeatedly attempts to execute outbound connections, typically to The Onion Routing (TOR) nodes. TOR nodes can conceal a user’s location from the connection destination.

Red Canary reported that it had seen Raspberry Robin activity in organizations linked to the manufacturing and technology sectors, although the company noted that it was unclear as to whether there was any connection between the companies affected by the malware. 

Discussing the purpose of the Raspberry Robin worm when it was first discovered, Red Canary admitted that it was unsure “how or where Raspberry Robin infects external drives to perpetuate its activity”, although the company suggested that this “occurs offline or otherwise outside of our visibility”.

The organization also said that its “biggest question concerns the operators’ objectives”. This uncertainty is due to a lack of information on later-stage activity, meaning Red Canary are unable to “make inferences on the goal or goals of these campaigns”. The company did say, however, that it hoped the information uncovered on Raspberry Robin will help in wider efforts when detecting and tracking Raspberry Robin activity.

In August 2022, the Raspberry Robin worm was linked by Microsoft to attacks executed by Russian-based hacking group EvilCorp. Researchers tracking activity by EvilCorp discovered that “FakeUpdates malware [was] being delivered via existing Raspberry Robin infections”. 

FakeUpdates malware is a malvertising access broker, a social engineering-based threat vector that poses as a safe link that tricks victims into clicking on it. In the case of FakeUpdates, it poses as a software or browser update. When clicked on, a JavaScript file stored inside a Zip file is downloaded, executed and run on the victim’s computer. This allows bad actors to gain access to a victim’s profile networks.

How to prevent a worm malware attack

As worm malware relies on spreading to devices across a network, if a worm is discovered, the infected device should be taken off the network.

It is important to update your device’s software regularly to make sure it is patched against any vulnerabilities.  

Other general anti-malware security strategies should also be employed, including having antivirus and antimalware software downloaded. Likewise, any links or files received via email should be carefully considered before opening to avoid worm malware getting onto the device in the first place.

What is ransomware?

Ransomware is a type of malicious software which infects a device, then encrypts the data on it. This prevents the device's user from accessing the information stored on the device. The malicious actors will then send a message to the victim, demanding payment for the safe return of their data.

Ransomware can be especially disruptive as it can spread across an entire network, impacting all the devices used by a company or organization.

The WannaCry ransomware worm

Ransomware worms combine the self-replicating nature of worms with the destructive potential of ransomware.

WannaCry was a worm-based ransomware attack that took place in May 2017. It specifically targeted computers with a Microsoft Windows operating system by utilizing a flaw that meant the system could be tricked into executing code. While a patch for this flaw was developed, many of the victims of the attack did not update their devices’ software as they were unaware of its importance, meaning they were still vulnerable to the attack.

Once on a device, WannaCry encrypted the device’s data and demanded a Bitcoin payment be made to unencrypt its data. It also attempted to spread both laterally across the device’s network and to random devices via the internet. 


 An example of the ransom note left by WannaCry. Source: Wikimedia Commons

The European Union Agency for Law Enforcement Cooperation (Europol) estimated that the attack spread across 150 countries and affected more than 300,000 computers. Among those affected by the attack were National Health Service hospitals in England and Scotland, where WannaCry affected up 70,000 devices including computers, theatre equipment, MRI scanners and blood-storage refrigerators. Other victims included government agencies, police departments, medical facilities, telecommunications companies and universities across the world.

Multiple cyber security researchers and organizations launched investigations into WannaCry in an attempt to stop the attack and prevent any further harm. This led to the discovery of a kill switch within its code by British researcher Marcus Hutchins. By registering a web domain for a DNS sinkhole he found in its code, Hutchins was able to stop the attack’s spread. This was because the ransomware was only able to encrypt a device’s files if it could not connect to that domain.

Other solutions were also discovered, including researchers from Boston University and University College London who found that the ransomware could be stopped by recovering the keys used to encrypt the data by using a software system called PayBreak. 

The potential losses from the attack were estimated to reach up to $4bn by cyber risk modelling firm Cyence.

Royal Mail impacted by ransomware attack

On January 11, 2023, the UK's Royal Mail service announced that it had been the victim of a cyber attack against the systems used to send mail abroad. 

The cyber attack caused significant distrubption, shutting down all exports out of the UK. The impact was so severe that the Royal Mail urged customers to stop sending mail abroad while its systems were down.

The cyber security incident was quickly linked to Russian ransomware-as-a-service (RaaS) gang, Lockbit. The gang sent ransom demands to the Royal Mail via its printers in a distribution center in Belfast, Northern Ireland.

The letters said that the disruption was caused by LockBit black ransomware and threatened to post data stolen in the cyber attack online if the ransom demands were not met.

How to prevent ransomware attacks

As with all malware, ransomware attacks can be prevented by ensuring that the operating system for your device is up-to-date, as well as using up-to-date antimalware software.

Caution should also be used when downloading files recieved over the internet, especially if they are are not from a trusted source.

What are viruses?

Viruses are some of the msot well-known strains of malware. They are called viruses as they operate in the same way as real-life viruses do, meaning they are able to self-replicate and spread across an infected device very rapidly.

What was the first computer virus?

The first-ever virus was created in 1999, and was named Melissa. Spread via online forums and a Microsoft Word document that claimed to contain login details for explicit websites, Melissa was responsible for disrupting the email servers of more than 300 major organizations worldwide.

Overall, Melissa was responsible for more than $80 million worth of damages incurred by cleaning up devices infected with the virus.

What was the YouAreAnIdiot virus?

YouAreAnIdiot, also known as Trojan.JS.Offiz, was a virus-style flash animation that was originally discovered in 2004. 

The earliest version of the virus was posted on the website YouDon'tKnowWhoIAm. Trojan.JS.Offiz was able to open up a multiple browsers on a device. Once the link to YouDon'tKnowWhoIAm was clicked on, a flash animation displaying an image of three cartoon smiling faces and the text 'You are an idiot!' flashed black and white, while a song played. 

This was not the end, however, as the virus would then open up another browser, displaying the same message and playing the same song. If victims attempted to delete the browser either manually or through keyboard shortcuts, more browsers would open themselves indefinitely. The only way to stop the browsers from opening themselves was to force-shutdown the device. This could cause victims to lose unsaved files and data. Additionally, some victims had devices infected by YouAreAnIdiot that was programmed to launch on startup, meaning their devices were functionally useless.

YouAreAnIdiot was not technically a virus, however, and was instead Trojan malware. It became known as a virus rather than Trojan malware due to popular vernacular at the time.

At its height, it is predicted that YouAreAnIdiot infected more than 100,000 computers. It is not known where the virus originated, or who created it.

How to prevent a virus attack

You can prevent a virus by employing good cyber security hygiene practices. This includes running antivirus software and keeping it up-to-date, in addition to not clicking on links or downloading files from suspicious sites.

Using ChatGPT to create malware

Research by threat intelligence company Check Point Research has found malicious actors are using OpenAI’s ChatGPT to build malware, dark web sites and other tools to enact cyber attacks. 

While the artificial intelligence (AI)-powered chatbot has put restrictions on its use, including using it to create malware, posts on a dark web hacking forum have revealed that it can still be used to do so. One user alludes to this by saying that “there’s still work around”, while another said “the key to getting it to create what you want is by specifying what the program should do and what steps should be taken, consider it like writing pseudo-code for your comp[uter] sci[ence] class”.  

Screenshot provided by Check Point Research

Using this method, the user said they had been able to create a “python file stealer that searches for common file types” that can self-delete after the files are uploaded or if any errors occur while the program is running, “therefore removing any evidence”.

Fighting ChatGPT malware attacks

While new technology can be used to develop more sophisticated threats, it can also be used in defense against them. Jonathan Jackson, director of sales engineering APJ at BlackBerry Cybersecurity, notes AI has the potential to be both a boon and a curse when it comes to malware. 
 
“One of the key advantages of using AI in cyber security is its ability to analyze vast amounts of data in real time,” Jackson remarks. “As cyber attacks become more severe and sophisticated, and threat actors evolve their tactics, techniques, and procedures (TTP), traditional security measures become obsolete. AI can learn from previous attacks and adapt its defenses, making it more resilient against future threats.”

Jackson notes that AI can also be used to mitigate advanced persistent threats (APTs), which can be highly targeted and often difficult to detect. This allows organizations to identify threats before they cause significant damage. 

Another benefit of AI in cyber security recognized by Jackson is its use to automate repetitive tasks like those in security management. This frees up cyber security professionals to focus more on strategic tasks such as threat hunting and incident response

Read more 


RECOMMENDED