What
is
malware?
Malware
is
a
fast-growing,
ever-evolving
threat
to
cyber
security.
In
the
first
six
months
of
2022,
over
2.8
billion
malware
attacks
were
reported
worldwide.
Beyond
risks
to
their
network,
malware
like
ransomware
can
have
real,
monetary
costs
for
businesses.
In
2021,
damages
of
ransomware
alone
cost
US$20bn.
This
was
a
6054
percent
increase
on
the
global
cost
of
ransomware
in
2015,
which
was
$325mn.
This
is
only
predicted
to
increase,
with
the
damages
of
ransomware
forecasted
to
reach
US$250bn
by
2031.
The
term
‘malware’
is
an
abbreviation
of
‘malicious
software’
and,
according
to
the
UK
National
Cyber
Security
Center
(NCSC),
“includes
viruses,
trojans,
worms
or
any
code
or
content
that
can
damage
computer
systems,
networks
or
devices”.
As
the
definition
of
malware
is
very
broad,
this
article
dives
into
the
various
different
types
of
malware
exploring
what
these
types
of
malware
do,
the
effect
they
can
have
on
a
network
and
how
they
can
be
mitigated
or
prevented.
Contents:
-
What
is
trojan
malware? -
What
is
worm
malware? -
Using
ChatGPT
to
create
malware
What
is
trojan
malware?
Named
for
the
mythical
‘trojan
horse’
the
Greeks
used
to
enter
the
city
of
Troy,
trojan
malware
is
malware
that
masquerades
as
a
safe
or
innocuous
file.
Once
the
file
is
downloaded,
it
will
then
start
to
execute
malicious
actions
on
the
endpoint
it
is
downloaded
onto.
Trojan
malware
is
used
by
hackers
to
steal
victim’s
bank
information
and
eventually
their
money.
This
disruptive
threat
vector
is
on
the
rise,
with
Kapersky
Software
reporting
that
it
blocked
the
launch
of
at
least
one
type
of
banking
malware
on
the
devices
of
almost
100,000
(99,989)
unique
users.
Banking
trojans
can
be
spread
a
number
of
ways,
including
via
phishing
links,
posing
as
useful
programs
(e.g.
a
multi-use
bank
management
app)
or
even
as
apps
for
the
bank
themselves.
Once
these
programs
are
downloaded
by
the
victim,
the
hackers
are
able
to
run
malicious
programs
on
the
victim’s
device.
In
some
cases,
this
will
allow
them
to
harvest
the
login
information
used
for
their
bank
account,
giving
them
access
to
it.
In
others,
it
will
allow
them
to
steal
bank
card
information
via
false
data
collection
tables,
asking
the
user
to
add
their
card
details
to
a
Google
Pay
account,
for
example.
In
more
extreme
cases,
the
malware
penetrates
the
device’s
network
and
turns
on
administrative
access,
giving
hackers
complete
control
over
the
device.
If
hackers
gain
control
of
a
device,
they
can
read,
reroute
and
delete
text
messages
or
calls,
meaning
that
even
if
the
victim
has
multi-factor
authentication
(MFA)
set
up,
the
hackers
can
access
the
one-time
passcodes
(OTPs)
needed
to
bypass
this
security
strategy.
Hackers
can
then
steal
data
and
money
from
their
victims
without
them
being
alerted
until
it
is
too
late.
As
the
actions
performed
by
the
hackers
come
from
the
victim’s
device
and
will
pass
all
security
measure,
they
will
seem
legitimate.
This
means
that
banks
may
not
flag
some
or
all
of
the
transactions
made
by
the
malicious
actors
as
suspicious
behavior.
Even
if
the
bank
notices
the
unusual
activity
and
attempts
to
alert
the
victim,
the
malware
allows
the
malicious
actor
to
reroute
any
calls
or
texts
from
the
bank,
and
the
victim
will
remain
unaware
until
they
next
check
their
bank
balance.
Emotet
banking
trojan
Emotet
is
a
trojan
banking
malware
so
prevalent
and
dangerous
that
the
US
Cyber
Security
and
Infrastructure
Security
Agency
(CISA),
the
US
Department
of
Homeland
Security
(DHS)
National
Cybersecurity
and
the
US
National
Communications
Integration
Center
(NCCIC)
released
a
group
technical
alert
regarding
it
on
July
20,
2018.
The
alert
warns
that
Emotet
is
one
of
the
“most
costly
and
destructive
malware
affecting
[state,
local,
tribal,
and
territorial]
SLTT
governments”
due
to
its
ability
to
rapidly
spread
throughout
networks.
Emotet
is
launched
“when
a
user
opens
or
clicks
the
malicious
download
link,
PDF
or
macro-enabled
Microsoft
Word
document”
and
once
in
a
network,
it
will
download
and
spread
multiple
banking
trojans.
The
alert
notes
that
Emotet
infections
have
cost
SLTT
governments
up
to
US$1mn
per
infection
to
mitigate.
Preventing
a
trojan
malware
attack
Cyber
security
expert
and
Cyber
Security
Hub
contributor
Alex
Vakulov
notes
that
the
nature
of
trojan
malware
makes
it
difficult
to
remove
once
a
device
has
been
infected.
In
some
cases,
the
only
way
to
prevent
it
is
to
return
a
device
to
factory
settings.
For
trojan
malware,
prevention
is
key.
“The
proliferation
of
mobile
devices
has
spawned
a
thriving
underground
industry
for
creating
banking
Trojans,”
Vakulov
explains.
“This
has
led
to
a
sharp
increase
in
the
number
of
banking
Trojans
and
the
likelihood
of
infection.”
Vakulov
says
that
it
is
not
uncommon
for
users
to
download
malware
from
official
sources
such
as
Google
Play,
due
to
the
app-checking
technology
not
being
completely
foolproof.
“While
mobile
security
solutions
can
detect
unauthorized
app
activity,
it
is
the
personal
decision
of
each
user
to
install
a
particular
software
on
their
phone,”
he
adds.
To
prevent
trojan
malware
infections,
users
should
remain
vigilant
by
checking
the
validity
of
communications
and
their
senders
before
clicking
any
links
or
downloading
any
attachments.
The
use
of
secure
file
transfer
solutions
can
act
as
a
preventive
measure
by
ensuring
that
only
files
sent
using
trusted
software
are
opened.
What
is
worm
malware?
Worm
malware
is
a
type
of
malicious
program
that
can
self-replicate
with
the
aim
of
spreading
to
more
devices.
Unlike
other
forms
of
malware,
worms
do
not
need
any
human
or
host
program
to
run,
meaning
it
can
execute
its
programming
itself
once
downloaded
onto
a
device.
Worm
malware,
like
many
software-based
threat
vectors,
primarily
infects
devices
via
the
use
of
infected
links
and
files.
Social
engineering
is
often
employed
to
entice
victims
into
clicking
links
or
downloading
files.
This
means
the
links
may
be
hosted
on
malicious
websites
posing
as
legitimate
ones,
or
may
be
sent
as
part
of
a
phishing
campaign,
where
the
worm
is
disguised
as
a
legitimate
file
type.
By
itself,
a
worm
can
impact
devices
in
a
number
of
ways,
including
taking
up
disk
space
and
even
deleting
files
in
order
to
make
more
copies
of
itself.
If
the
worm
is
equipped
with
a
payload,
this
can
allow
the
malicious
actors
to
inflict
even
more
damage.
Cyber
security
and
technology
journalist
Dave
Johnson
explained
to
Business
Insider
that
payloads
can
allow
hackers
to
“open
a
backdoor
to
the
PC
for
hackers
or
to
implant
additional
malware
to
steal
sensitive
information
like
usernames
and
passwords,
or
to
use
the
computer
as
part
of
a
distributed
denial-of-service
(DDoS)
attack”.
The
WannaCry
ransomware
worm
Ransomware
worms
combine
the
self-replicating
nature
of
worms
with
the
destructive
potential
of
ransomware.
WannaCry
was
a
worm-based
ransomware
attack
that
took
place
in
May
2017.
It
specifically
targeted
computers
with
a
Microsoft
Windows
operating
system
by
utilizing
a
flaw
that
meant
the
system
could
be
tricked
into
executing
code.
While
a
patch
for
this
flaw
was
developed,
many
of
the
victims
of
the
attack
did
not
update
their
devices’
software
as
they
were
unaware
of
its
importance,
meaning
they
were
still
vulnerable
to
the
attack.
Once
on
a
device,
WannaCry
encrypted
the
device’s
data
and
demanded
a
Bitcoin
payment
be
made
to
unencrypt
its
data.
It
also
attempted
to
spread
both
laterally
across
the
device’s
network
and
to
random
devices
via
the
internet.
An
example
of
the
ransom
note
left
by
WannaCry.
Source:
Wikimedia
Commons
The
European
Union
Agency
for
Law
Enforcement
Cooperation
(Europol)
estimated
that
the
attack
spread
across
150
countries
and
affected
more
than
300,000
computers.
Among
those
affected
by
the
attack
were
National
Health
Service
hospitals
in
England
and
Scotland,
where
WannaCry
affected
up
70,000
devices
including
computers,
theatre
equipment,
MRI
scanners
and
blood-storage
refrigerators.
Other
victims
included
government
agencies,
police
departments,
medical
facilities,
telecommunications
companies
and
universities
across
the
world.
Multiple
cyber
security
researchers
and
organizations
launched
investigations
into
WannaCry
in
an
attempt
to
stop
the
attack
and
prevent
any
further
harm.
This
led
to
the
discovery
of
a
kill
switch
within
its
code
by
British
researcher
Marcus
Hutchins.
By
registering
a
web
domain
for
a
DNS
sinkhole
he
found
in
its
code,
Hutchins
was
able
to
stop
the
attack’s
spread.
This
was
because
the
ransomware
was
only
able
to
encrypt
a
device’s
files
if
it
could
not
connect
to
that
domain.
Other
solutions
were
also
discovered,
including
researchers
from
Boston
University
and
University
College
London
who
found
that
the
ransomware
could
be
stopped
by
recovering
the
keys
used
to
encrypt
the
data
by
using
a
software
system
called
PayBreak.
The
potential
losses
from
the
attack
were
estimated
to
reach
up
to
$4bn
by
cyber
risk
modelling
firm
Cyence.
Raspberry
Robin
malware
worm
Raspberry
Robin
was
originally
discovered
by
cyber
security
company
Red
Canary
in
September
2021
after
noticing
and
tracking
a
cluster
of
activity
caused
by
the
worm.
Raspberry
Robin
is
installed
on
computers
via
a
compromised
USB,
which
then
introduces
the
worm
to
the
computer’s
system.
The
worm
then
goes
on
to
read
and
execute
a
malicious
file
stored
on
a
USB
drive,
which,
if
successful,
downloads,
installs
and
executes
a
malicious
dynamic-link
library
file
(.dll).
Finally,
the
worm
repeatedly
attempts
to
execute
outbound
connections,
typically
to
The
Onion
Routing
(TOR)
nodes.
TOR
nodes
can
conceal
a
user’s
location
from
the
connection
destination.
Red
Canary
reported
that
it
had
seen
Raspberry
Robin
activity
in
organizations
linked
to
the
manufacturing
and
technology
sectors,
although
the
company
noted
that
it
was
unclear
as
to
whether
there
was
any
connection
between
the
companies
affected
by
the
malware.
Discussing
the
purpose
of
the
Raspberry
Robin
worm
when
it
was
first
discovered,
Red
Canary
admitted
that
it
was
unsure
“how
or
where
Raspberry
Robin
infects
external
drives
to
perpetuate
its
activity”,
although
the
company
suggested
that
this
“occurs
offline
or
otherwise
outside
of
our
visibility”.
The
organization
also
said
that
its
“biggest
question
concerns
the
operators’
objectives”.
This
uncertainty
is
due
to
a
lack
of
information
on
later-stage
activity,
meaning
Red
Canary
are
unable
to
“make
inferences
on
the
goal
or
goals
of
these
campaigns”.
The
company
did
say,
however,
that
it
hoped
the
information
uncovered
on
Raspberry
Robin
will
help
in
wider
efforts
when
detecting
and
tracking
Raspberry
Robin
activity.
In
August
2022,
the
Raspberry
Robin
worm
was
linked
by
Microsoft
to
attacks
executed
by
Russian-based
hacking
group
EvilCorp.
Researchers
tracking
activity
by
EvilCorp
discovered
that
“FakeUpdates
malware
[was]
being
delivered
via
existing
Raspberry
Robin
infections”.
FakeUpdates
malware
is
a
malvertising
access
broker,
a
social
engineering-based
threat
vector
that
poses
as
a
safe
link
that
tricks
victims
into
clicking
on
it.
In
the
case
of
FakeUpdates,
it
poses
as
a
software
or
browser
update.
When
clicked
on,
a
JavaScript
file
stored
inside
a
Zip
file
is
downloaded,
executed
and
run
on
the
victim’s
computer.
This
allows
bad
actors
to
gain
access
to
a
victim’s
profile
networks.
How
to
prevent
a
worm
malware
attack
As
worm
malware
relies
on
spreading
to
devices
across
a
network,
if
a
worm
is
discovered,
the
infected
device
should
be
taken
off
the
network.
As
seen
in
the
WannaCry
attack,
it
is
important
to
update
your
device’s
software
regularly
to
make
sure
it
is
patched
against
any
vulnerabilities.
Other
general
anti-malware
security
strategies
should
also
be
employed,
including
having
antivirus
and
antimalware
software
downloaded.
Likewise,
any
links
or
files
received
via
email
should
be
carefully
considered
before
opening
to
avoid
worm
malware
getting
onto
the
device
in
the
first
place.
Using
ChatGPT
to
create
malware
Research
by
threat
intelligence
company
Check
Point
Research
has
found
malicious
actors
are
using
OpenAI’s
ChatGPT
to
build
malware,
dark
web
sites
and
other
tools
to
enact
cyber
attacks.
While
the
artificial
intelligence
(AI)-powered
chatbot
has
put
restrictions
on
its
use,
including
using
it
to
create
malware,
posts
on
a
dark
web
hacking
forum
have
revealed
that
it
can
still
be
used
to
do
so.
One
user
alludes
to
this
by
saying
that
“there’s
still
work
around”,
while
another
said
“the
key
to
getting
it
to
create
what
you
want
is
by
specifying
what
the
program
should
do
and
what
steps
should
be
taken,
consider
it
like
writing
pseudo-code
for
your
comp[uter]
sci[ence]
class”.
Screenshot
provided
by
Check
Point
Research
Using
this
method,
the
user
said
they
had
been
able
to
create
a
“python
file
stealer
that
searches
for
common
file
types”
that
can
self-delete
after
the
files
are
uploaded
or
if
any
errors
occur
while
the
program
is
running,
“therefore
removing
any
evidence”.
Fighting
ChatGPT
malware
attacks
While
new
technology
can
be
used
to
develop
more
sophisticated
threats,
it
can
also
be
used
in
defense
against
them.
Johnathan
Jackson,
director
of
sales
engineering
APJ
at
BlackBerry
Cybersecurity,
notes
AI
has
the
potential
to
be
both
a
boon
and
a
curse
when
it
comes
to
malware.
“One
of
the
key
advantages
of
using
AI
in
cyber
security
is
its
ability
to
analyze
vast
amounts
of
data
in
real
time,”
Jackson
remarks.
“As
cyber
attacks
become
more
severe
and
sophisticated,
and
threat
actors
evolve
their
tactics,
techniques,
and
procedures
(TTP),
traditional
security
measures
become
obsolete.
AI
can
learn
from
previous
attacks
and
adapt
its
defenses,
making
it
more
resilient
against
future
threats.”
Jackson
notes
that
AI
can
also
be
used
to
mitigate
advanced
persistent
threats
(APTs),
which
can
be
highly
targeted
and
often
difficult
to
detect.
This
allows
organizations
to
identify
threats
before
they
cause
significant
damage.
Another
benefit
of
AI
in
cyber
security
recognized
by
Jackson
is
its
use
to
automate
repetitive
tasks
like
those
in
security
management.
This
frees
up
cyber
security
professionals
to
focus
more
on
strategic
tasks
such
as
threat
hunting
and
incident
response.
About Author
