A malware - a portmanteau for malicious software - is a piece of code designed to alter the normal behaviour or function of an information system to generally cause harm to the system and, indirectly, the user. John von Neumann theorised malware in the 1950s, and computer scientists quickly materialised the idea with prototypes. As an umbrella term, today it encompasses dozens of varying use-cases and categories. Antivirus providers and cybersecurity firms estimate the number of malwares in circulation at around 1 billion, 60 percent of which target Windows users. Between 2008 and today, that number has grown by a hundred times and spread across mobile devices, following the mass adoption of smartphones and computers.
What is not malware?
Not all parts of a cyber attack use malware. Often, malware is just one link in the cyber kill chain. A few examples below help to present a broader picture:
Exploits and complex attacks
An exploit is a software or piece of code that takes advantage of (exploits) a vulnerability in a system or software. If the vulnerability is not known either by the manufacturer or of the cybersecurity community (notably through a CVE number) or known but unpatched, it is called a zero-day vulnerability. Exploits are not inherently nefarious but are often used in practice to deliver malware.
Web browser-based attacks, for instance, exploit vulnerabilities in the user’s browser to track them or steal data. Cross-site scripting (XSS) is one type of attack that modifies a web page's behaviour, typically a login or form, to intercept sensitive data. This happened in the 2018 British Airways data leak, leading the company to a 184 million pound fine. Watering-hole attacks use the same principle but target people who visit specific websites such as local newspapers. State actors often use this method to track political dissidents.
Social engineering attacks
Social engineering attacks rely on people's errors of judgement in social interactions to get access to a system or exploit the trust they have established to commit fraud (link to social engineering). Most cyber-attacks rely on social engineering to trick the user, usually by clicking on a link. This is the case of phishing, where users are incentivised with "important" emails to click on a malicious link. The same principle applies to Business Email Compromise (BEC, also known as ‘President fraud’), where employees are pressured by an "urgent" email or phone call to transmit sensitive data or wire money.
What different types of malware exist?
Malware is usually categorised according to its purpose (e.g., ransomware), characteristics such as how it spread (e.g., worms, viruses), or the platform for which they were designed (e.g., mobile malware). What follows is a typology that aims to present the most common, though not exhaustive, malware:
Viruses: Viruses are commonly confused with malware, but they are not synonymous. Viruses are malware that spread by duplicating their code. Frederick Cohen and Len Adleman coined the term in the 1980s based on similarity to biological viruses. As with the latter, computer viruses inject their code into otherwise legitimate files to circulate between users. Still today, many of the cybersecurity concepts and much of the mindset of professionals remain shaped by the metaphor and analogies of health and biology (Slupska, 2021).
Spywares: Spywares are software designed to spy on users or organisations, typically for espionage, fraud or harassment purposes. Keyloggers, for instance, record the keyboard keys stroked by the user and are ideal to steal passwords and get access to corporate or bank accounts. Stalkerwares are spyware commonly used in intimate partner abuse. They often allow someone close to the victim to track its location and read its messages. Some of them are passing as children's safety apps on popular phone app stores. On the other hand of the spectrum, advanced attackers can exploit zero-days to target specific individuals or organisations from a distance, often politicians, journalists or activists.
Trojan horses and rootkits: As their name suggests, trojan horses are specialised in infiltrating and establishing a foothold in a system. By opening a backdoor, they allow an attacker to perform other malicious activities, such as installing a keylogger. Trojan horses often present themselves as “legitimate” and “useful” software to trick users into downloading them. Because they are only the first steps in an attack chain (see cyber kill chain), trojan horses are the most common type of malware, representing approximately 75% of newly discovered malware on Windows systems.
Rootkits are similar because they are often the first step of a more complex cyber attack. Rootkits are malicious configuration tools that infiltrate the lowest software layers of the system, providing vast privileges to the attacker. Once established, rootkits are difficult to detect and remove, as they can penetrate the most essential parts of a computer. As a result, systems suspected of being infected with rootkits often need to be wiped entirely, and their hardware configuration reset.
Ransomwares: Ransomwares are programs that encrypt system files or personal documents and hold them “hostage” until the victim pays a ransom in the form of cryptocurrency. The increase in the value of cryptocurrency has led to a substantial increase in ransomware attacks. Of all reported cybersecurity incidents in the first half of 2021, one in five was due to ransomware. Some criminal groups are specialised in ransomware attacks and target specific companies or organizations. Others buy (see malware-as-a-service, below) or design their ransomware to spread automatically through the Internet by exploiting vulnerabilities in network protocols (such as SMBv1). Such types of malwares are known as worms.
Worms: Worms are malware designed to spread quickly through the Internet. Once they have entered a computer connected to a local network, such as a corporate intranet, they scan it and attempt to infect as many connected computers as possible.
Mobile malware: Mobile malware is malware that affects mobile phone and tablet users. They are typically designed to run on iOS, iPadOS or Android operating systems. They are increasingly common, as most people now access the Internet through a mobile device. Each year, around 3 million new malwares are detected on Android phones, and nearly as many Potentially Unwanted Applications (PUAs).
Potentially Unwanted Applications (PUAs): PUAs are not malware per see, but are a category of apps that are often installed without the users’ consent. They are invasive and challenging to remove. Adwares, or software that display advertisements, make up the largest part of PUAs. Some of them even track the user’s web browsing, which is why they can also be classified as spyware. Adwares sometimes disguise themselves as mobile video games or other apps to hide their true purpose. They are found most often on Android phones, where PUAs are as common as malware due to the open nature of the app store.
What’s the future of malware?
File-less malware: Contrary to traditional malware that writes itself into the persistent memory (hard storage) of computers, file-less malware is made of code that stays in the system's dynamic memory (DRAM). This makes them much harder to detect by conventional antivirus software, which has become quite efficient at preventing traditional malware. Since computers wipe DRAM when they shut down, file-less malware often infiltrate the system's boot sequence to establish persistence. This is one of the reasons why phones and computer operating systems are increasingly implementing forms of secure booting. Windows 11 and iOS, for instance, both require an encrypted chip known as TPM (Trusted Platform Module, called Secure Enclave by Apple) to ensure the integrity of the booting sequence.
DRAM is not the only dynamic memory of a computer. Most recently, malware developers on criminal forums have been advertising file-less malware with the ability to live-off graphics card memory, or VRAM. According to the developer, the malware works with popular graphics card (GPU) models and graphic chips integrated into the computer's processor (iGPU). This is particularly worrying since iGPUs are most common on corporate desktops and laptops.
Skilled software developers often create these new malwares and then sell them to criminal groups or individuals. Sometimes, they even run the malware operation on behalf of a client, taking a cut of the profit. This is a new trend known as malware-as-a-service (MaaS).
Malware-as-a-service: MaaS describes the leasing or subcontracting of malware operations. Ransomware, for instance, often requires back-end servers to transfer data and control the malware. Instead of designing and maintaining their malware operation, criminal groups increasingly buy or lease it from other groups specialised in doing so. Among them, we can find TA542, a hacking group first known for developing EMOTET in 2017, a trojan horse that collects and transfers banking information. EMOTET is often used as part of MaaS ransomware operations, such as Ryuk. In such cases, they are known as Ransomware-as-a-service.
According to the Ensign Cyber Threat Landscape Report 2021, threat actors are increasingly collaborating with each other to launch ransomware campaigns. The Ransomware-as-a-Service (RaaS) model is one example where cyber adversaries leverage their respective expertise to carry out a range of malicious activities. It is believed that this organised crime business model has led to the phenomenal growth of the ransomware business.
The RaaS model has also led to the rise of the double extortion approach where threat actors first compromise endpoints to exfiltrate victims’ data and then encrypt the data to disrupt business operations. The threat actors will then demand ransom twice – one for decrypting the data, and another for not leaking the stolen data online. With the perpetrators threatening to publish their victims’ data on questionable websites, which can potentially trigger regulatory attention and payment of penalties, victims are more pressured to pay the ransoms.
Organisations need to prepare for the response and recovery of systems in anticipation of ransomware attacks. This includes provisioning backup systems and endpoints for critical functions to restore operations without significant delay. Organisations also need to support this with asset inventories and implementation of data protection solutions to enable quick identification, containment, and mitigation of incidents relating to data breaches. Lastly, they should conduct regular, thorough reviews of business-critical data and its storage location to maintain the visibility of assets.