Section 6.57 Malware Attack Techniques Flashcards
Objectives 2.4 Given a Scenario, analyse indicators of malicious activity
Method of attack: Think modern
Malware Attack Techniques
The specific method by which malware code penetrates and infects a targeted system
■ Most modern malware uses fileless techniques to avoid detection from signature-based security software.
■ Fileless malware infects the systems memory (RAM) to avoid detection and to execute its malicious code using trusted tools directly from memory.
PowerShell exploitation: PowerShell is commonly exploited by fileless malware for its ability to execute complex operations without generating executable files. Usually, it’s leveraged to download and run payloads directly from memory and bypass scripting restrictions.
Stage 1 Dropper or Downloader
When a user accidentally clicks on a malicious link or opens a malicious file, the specific type of malware being installed is known as a Stage One Dropper or Downloader.
The primary function of a Downloader is to retrieve additional portions of the malware code and to trick the user into activating it. whereas a Dropper runs the malciocus code
This is NOT fileless malware
This Piece of malware is usually created as a lightweight shellcode that can be executed on a given system
Stage 1 dropper - remember this is independant of Stage 1 Downloader
Dropper
Both Dropper and Downloader can infect a system (not run together)
A stage-one dropper is a small piece of malware designed to install or deliver additional malicious software onto a system.
Payload is the code which causes the actual harm
Stage 1 dropper - remember this is independant of Stage 1 Dropper
Downloader
Both Dropper and Downloader can infect a system (not run together)
A downloader is a type of malware that retrieves and installs additional malicious components from a remote server via internet connection
Shellcode
Lightweight code which exploits vulnerabilities and executes the Stage 1 Dropper or Downloader
Stage 2: Downloader
Downloads and installs a remote access Trojan to conduct command and control on the victimised system
“Actions on Objectives” Phase
Threat actors will execute primary objectives to meet core objectives like
■ Data exfiltration
■ File encryption
“Actions on Objectives” is a phase in the cyber kill chain, a model describing the stages of a cyber attack. This phase occurs after the attacker has gained access to a system and established control.
Concealment
Used to help the threat actor prolong unauthorised access to a system by
■ Hiding tracks
■ Erasing log files
■ Hiding any evidence of malicious activity
“Living off the Land”
■ A strategy adopted by many Advanced Persistent Threats and criminal organizations
■ The threat actors try to exploit the standard tools to perform intrusions
NOT in course just a nice to know
cyber kill chain
The cyber kill chain is a framework that outlines the stages of a cyber attack. It was originally developed by Lockheed Martin and consists of seven stages:
1. Reconnaissance: Gathering information about the target. 2. Weaponization: Creating a malicious payload (like malware). 3. Delivery: Sending the payload to the target. 4. Exploitation: Taking advantage of a vulnerability to execute the payload. 5. Installation: Establishing a foothold in the system (e.g., installing malware). 6. Command and Control (C2): Setting up communication with the compromise system. 7. Actions on Objectives: Achieving the attacker’s goals, such as data theft or disruption.
Each stage represents a step in the attack process, helping organizations understand and defend against cyber threats.
