The ultimate guide to malware

Malware is a fast-growing, ever-evolving threat to cyber security. In the first six months of 2022, over 2.8 billion malware attacks were reported worldwide. Beyond risks to their network, malware like ransomware can have real, monetary costs for businesses. In 2021, damages of ransomware alone cost US$20bn. This was a 6054 percent increase on the global cost of ransomware in 2015, which was $325mn. This is only predicted to increase, with the damages of ransomware forecasted to reach US$250bn by 2031.

The term ‘malware’ is an abbreviation of ‘malicious software’ and, according to the UK National Cyber Security Center (NCSC), “includes viruses, trojans, worms or any code or content that can damage computer systems, networks or devices”.

As the definition of malware is very broad, this article dives into the various different types of malware exploring what these types of malware do, the effect they can have on a network and how they can be mitigated or prevented. 


What is trojan malware?

Named for the mythical ‘trojan horse’ the Greeks used to enter the city of Troy, trojan malware is malware that masquerades as a safe or innocuous file. Once the file is downloaded, it will then start to execute malicious actions on the endpoint it is downloaded onto.

Trojan malware is used by hackers to steal victim’s bank information and eventually their money. This disruptive threat vector is on the rise, with Kapersky Software reporting that it blocked the launch of at least one type of banking malware on the devices of almost 100,000 (99,989) unique users

Banking trojans can be spread a number of ways, including via phishing links, posing as useful programs (e.g. a multi-use bank management app) or even as apps for the bank themselves.

Once these programs are downloaded by the victim, the hackers are able to run malicious programs on the victim’s device. In some cases, this will allow them to harvest the login information used for their bank account, giving them access to it. In others, it will allow them to steal bank card information via false data collection tables, asking the user to add their card details to a Google Pay account, for example. In more extreme cases, the malware penetrates the device’s network and turns on administrative access, giving hackers complete control over the device.

If hackers gain control of a device, they can read, reroute and delete text messages or calls, meaning that even if the victim has multi-factor authentication (MFA) set up, the hackers can access the one-time passcodes (OTPs) needed to bypass this security strategy. Hackers can then steal data and money from their victims without them being alerted until it is too late. 

As the actions performed by the hackers come from the victim’s device and will pass all security measure, they will seem legitimate. This means that banks may not flag some or all of the transactions made by the malicious actors as suspicious behavior. Even if the bank notices the unusual activity and attempts to alert the victim, the malware allows the malicious actor to reroute any calls or texts from the bank, and the victim will remain unaware until they next check their bank balance.

Emotet banking trojan

Emotet is a trojan banking malware so prevalent and dangerous that the US Cyber Security and Infrastructure Security Agency (CISA), the US Department of Homeland Security (DHS) National Cybersecurity and the US National Communications Integration Center (NCCIC) released a group technical alert regarding it on July 20, 2018.  

The alert warns that Emotet is one of the “most costly and destructive malware affecting [state, local, tribal, and territorial] SLTT governments” due to its ability to rapidly spread throughout networks. Emotet is launched “when a user opens or clicks the malicious download link, PDF or macro-enabled Microsoft Word document” and once in a network, it will download and spread multiple banking trojans. The alert notes that Emotet infections have cost SLTT governments up to US$1mn per infection to mitigate.

Preventing a trojan malware attack

Cyber security expert and Cyber Security Hub contributor Alex Vakulov notes that the nature of trojan malware makes it difficult to remove once a device has been infected. In some cases, the only way to prevent it is to return a device to factory settings. For trojan malware, prevention is key.

“The proliferation of mobile devices has spawned a thriving underground industry for creating banking Trojans,” Vakulov explains. “This has led to a sharp increase in the number of banking Trojans and the likelihood of infection.”

Vakulov says that it is not uncommon for users to download malware from official sources such as Google Play, due to the app-checking technology not being completely foolproof. 

“While mobile security solutions can detect unauthorized app activity, it is the personal decision of each user to install a particular software on their phone,” he adds. 

To prevent trojan malware infections, users should remain vigilant by checking the validity of communications and their senders before clicking any links or downloading any attachments. The use of secure file transfer solutions can act as a preventive measure by ensuring that only files sent using trusted software are opened.

What is worm malware?

Worm malware is a type of malicious program that can self-replicate with the aim of spreading to more devices. Unlike other forms of malware, worms do not need any human or host program to run, meaning it can execute its programming itself once downloaded onto a device.

Worm malware, like many software-based threat vectors, primarily infects devices via the use of infected links and files. Social engineering is often employed to entice victims into clicking links or downloading files. This means the links may be hosted on malicious websites posing as legitimate ones, or may be sent as part of a phishing campaign, where the worm is disguised as a legitimate file type.

By itself, a worm can impact devices in a number of ways, including taking up disk space and even deleting files in order to make more copies of itself. If the worm is equipped with a payload, this can allow the malicious actors to inflict even more damage. 

Cyber security and technology journalist Dave Johnson explained to Business Insider that payloads can allow hackers to “open a backdoor to the PC for hackers or to implant additional malware to steal sensitive information like usernames and passwords, or to use the computer as part of a distributed denial-of-service (DDoS) attack”.

The WannaCry ransomware worm

Ransomware worms combine the self-replicating nature of worms with the destructive potential of ransomware.

WannaCry was a worm-based ransomware attack that took place in May 2017. It specifically targeted computers with a Microsoft Windows operating system by utilizing a flaw that meant the system could be tricked into executing code. While a patch for this flaw was developed, many of the victims of the attack did not update their devices’ software as they were unaware of its importance, meaning they were still vulnerable to the attack.

Once on a device, WannaCry encrypted the device’s data and demanded a Bitcoin payment be made to unencrypt its data. It also attempted to spread both laterally across the device’s network and to random devices via the internet. 

An example of the ransom note left by WannaCry. Source: Wikimedia Commons

The European Union Agency for Law Enforcement Cooperation (Europol) estimated that the attack spread across 150 countries and affected more than 300,000 computers. Among those affected by the attack were National Health Service hospitals in England and Scotland, where WannaCry affected up 70,000 devices including computers, theatre equipment, MRI scanners and blood-storage refrigerators. Other victims included government agencies, police departments, medical facilities, telecommunications companies and universities across the world.

Multiple cyber security researchers and organizations launched investigations into WannaCry in an attempt to stop the attack and prevent any further harm. This led to the discovery of a kill switch within its code by British researcher Marcus Hutchins. By registering a web domain for a DNS sinkhole he found in its code, Hutchins was able to stop the attack’s spread. This was because the ransomware was only able to encrypt a device’s files if it could not connect to that domain.

Other solutions were also discovered, including researchers from Boston University and University College London who found that the ransomware could be stopped by recovering the keys used to encrypt the data by using a software system called PayBreak. 

The potential losses from the attack were estimated to reach up to $4bn by cyber risk modelling firm Cyence.

Raspberry Robin malware worm

Raspberry Robin was originally discovered by cyber security company Red Canary in September 2021 after noticing and tracking a cluster of activity caused by the worm.

Raspberry Robin is installed on computers via a compromised USB, which then introduces the worm to the computer’s system. The worm then goes on to read and execute a malicious file stored on a USB drive, which, if successful, downloads, installs and executes a malicious dynamic-link library file (.dll). Finally, the worm repeatedly attempts to execute outbound connections, typically to The Onion Routing (TOR) nodes. TOR nodes can conceal a user’s location from the connection destination.

Red Canary reported that it had seen Raspberry Robin activity in organizations linked to the manufacturing and technology sectors, although the company noted that it was unclear as to whether there was any connection between the companies affected by the malware. 

Discussing the purpose of the Raspberry Robin worm when it was first discovered, Red Canary admitted that it was unsure “how or where Raspberry Robin infects external drives to perpetuate its activity”, although the company suggested that this “occurs offline or otherwise outside of our visibility”.

The organization also said that its “biggest question concerns the operators’ objectives”. This uncertainty is due to a lack of information on later-stage activity, meaning Red Canary are unable to “make inferences on the goal or goals of these campaigns”. The company did say, however, that it hoped the information uncovered on Raspberry Robin will help in wider efforts when detecting and tracking Raspberry Robin activity.

In August 2022, the Raspberry Robin worm was linked by Microsoft to attacks executed by Russian-based hacking group EvilCorp. Researchers tracking activity by EvilCorp discovered that “FakeUpdates malware [was] being delivered via existing Raspberry Robin infections”. 

FakeUpdates malware is a malvertising access broker, a social engineering-based threat vector that poses as a safe link that tricks victims into clicking on it. In the case of FakeUpdates, it poses as a software or browser update. When clicked on, a JavaScript file stored inside a Zip file is downloaded, executed and run on the victim’s computer. This allows bad actors to gain access to a victim’s profile networks.

How to prevent a worm malware attack

As worm malware relies on spreading to devices across a network, if a worm is discovered, the infected device should be taken off the network.

As seen in the WannaCry attack, it is important to update your device’s software regularly to make sure it is patched against any vulnerabilities.  

Other general anti-malware security strategies should also be employed, including having antivirus and antimalware software downloaded. Likewise, any links or files received via email should be carefully considered before opening to avoid worm malware getting onto the device in the first place.

Using ChatGPT to create malware

Research by threat intelligence company Check Point Research has found malicious actors are using OpenAI’s ChatGPT to build malware, dark web sites and other tools to enact cyber attacks. 

While the artificial intelligence (AI)-powered chatbot has put restrictions on its use, including using it to create malware, posts on a dark web hacking forum have revealed that it can still be used to do so. One user alludes to this by saying that “there’s still work around”, while another said “the key to getting it to create what you want is by specifying what the program should do and what steps should be taken, consider it like writing pseudo-code for your comp[uter] sci[ence] class”.  

Screenshot provided by Check Point Research

Using this method, the user said they had been able to create a “python file stealer that searches for common file types” that can self-delete after the files are uploaded or if any errors occur while the program is running, “therefore removing any evidence”.

Fighting ChatGPT malware attacks

While new technology can be used to develop more sophisticated threats, it can also be used in defense against them. Johnathan Jackson, director of sales engineering APJ at BlackBerry Cybersecurity, notes AI has the potential to be both a boon and a curse when it comes to malware. 
“One of the key advantages of using AI in cyber security is its ability to analyze vast amounts of data in real time,” Jackson remarks. “As cyber attacks become more severe and sophisticated, and threat actors evolve their tactics, techniques, and procedures (TTP), traditional security measures become obsolete. AI can learn from previous attacks and adapt its defenses, making it more resilient against future threats.”

Jackson notes that AI can also be used to mitigate advanced persistent threats (APTs), which can be highly targeted and often difficult to detect. This allows organizations to identify threats before they cause significant damage. 

Another benefit of AI in cyber security recognized by Jackson is its use to automate repetitive tasks like those in security management. This frees up cyber security professionals to focus more on strategic tasks such as threat hunting and incident response

Leave a Reply

Your email address will not be published. Required fields are marked *