More Malware & Attack Types

Objective scope for this section

Domain 2, Objective 2.4 focuses on analyzing indicators of malicious activity and identifying malware-related attack behavior.

Threat vector vs attack vector

These terms are related but not interchangeable in scenario analysis:

• →Threat vector: the means or pathway used to approach a target and deliver a malicious payload or unwanted action
• →Attack vector: operational method used to exploit exposure and execute infection
• →Exam pattern: identify both the vulnerable condition and the exploitation sequence

Core malware list for this objective segment

Knowthese malware categories and related mechanisms:

• →Virus
• →Worm
• →Trojan
• →Remote Access Trojan (RAT)
• →Ransomware
• →Zombie
• →Botnet
• →Rootkit
• →Backdoor
• →Logic bomb
• →Keylogger
• →Spyware
• →Bloatware

WannaCry case pattern (MS17-010 / EternalBlue)

WannaCry to illustrate vector chaining from weakness discovery to ransomware impact:

• →Unpatched Windows hosts expose Server Message Block (SMB) risk
• →Automated scanning identifies vulnerable systems
• →Exploit execution gains elevated access
• →Ransomware encrypts files and demands payment

Indicators of malicious activity to watch for

Objective 2.4 emphasizes recognizing these signals in incident scenarios:

• →Account lockouts
• →Concurrent session utilization
• →Blocked content
• →Impossible travel
• →Resource consumption
• →Resource inaccessibility
• →Out-of-cycle logging
• →Missing logs
• →Published or documented attacks

Core virus list for this objective segment

Knowthese 10 categories:

• →Boot sector virus
• →Macro virus
• →Program virus
• →Multipartite virus
• →Encrypted virus
• →Polymorphic virus
• →Metamorphic virus
• →Stealth virus
• →Armored virus
• →Hoax virus

User action commonly initiates infection

that virus execution often begins when a user runs infected content.

• →Open/run untrusted installer or executable
• →Enable/execute malicious macros in documents
• →Follow deceptive prompts that trigger unsafe actions

Persistence and evasion are layered

Modern virus behavior often combines persistence methods and anti-detection techniques.

• →Persistence examples: boot-time load and reinfection via applications
• →Evasion examples: encryption, polymorphism, metamorphism, stealth, armor
• →Composite threat pattern: multiple categories combined in one malware strain

Core behavior of worm propagation

Worms spread by combining automated discovery with exploit-driven compromise:

• →Scan network/internet for reachable targets
• →Identify hosts with known unpatched vulnerabilities
• →Exploit vulnerability to execute code remotely
• →Replicate from newly compromised host

Why worms are operationally dangerous

Worm risk includes both compromise and service degradation due to replication pressure.

• →Compromise of multiple endpoints/servers
• →Bandwidth and network capacity exhaustion
• →Increased CPU and memory usage on infected hosts
• →Potential denial-of-service conditions from rapid spread

Historical examples

Nimda and Conficker to show scale and speed of worm outbreaks:

• →Nimda (2001): rapid internet-wide propagation in a short window
• →Conficker (2009): large-scale infection of systems missing Microsoft patch MS08-067
• →Conficker added infected hosts to a botnet after exploitation

Primary mitigation theme

vulnerability management and patching as critical controls against worm spread.

• →Maintain timely security patching across operating systems and applications
• →Reduce exposed vulnerable services where possible
• →Use layered security controls to limit exploitability and propagation

Trojan execution model

Trojans rely on trust and user execution of software that appears benign.

• →User installs or runs software believed to be safe/desirable
• →Expected visible function may still work normally
• →Hidden payload runs in parallel and establishes compromise

Primary post-infection objectives

common Trojan outcomes after initial compromise:

• →Remote control of victim endpoint (RAT behavior)
• →Data exfiltration of sensitive documents
• →Backdoor creation for persistence and future access

Trojan trust-abuse pattern

The exam cue is not the story itself but the underlying trust model:

• →Harmless appearance conceals hostile intent
• →Victim permits entry into protected environment
• →Hidden attacker capability is activated after acceptance

Primary rootkit objective

A rootkit seeks the highest privilege possible while staying hidden on the compromised system.

• →Gain administrative or root-level control
• →Move as close to ring 0 as possible
• →Avoid detection by the operating system and security tools

Operating system ring model

rootkit power in terms of privilege rings, but the exam distinction that matters most is user mode versus kernel mode:

• →Ring 3: user mode with standard user permissions
• →Ring 0: kernel mode with the highest trust and control
• →Ring 1 is a privileged or administrative level, but the rootkit exam cue is malware seeking stealthy kernel-level control as close to ring 0 as possible

Why rootkits are hard to detect

Rootkits embed deeply into operating system activity, allowing them to hide from normal in-band security inspection.

• →Operate with elevated or kernel-adjacent privileges
• →Can intercept or redirect normal operating system calls
• →Traditional antivirus and anti-malware tools may not see the hidden malicious code

DLL injection and shim abuse path

rootkit stealth to trusted Windows DLL behavior and call interception.

• →Malicious code is inserted into the address space of another process
• →A trusted DLL load path is abused to execute the rootkit
• →A shim intercepts and redirects calls between the operating system and the DLL

Exam focus of the demonstration

Focus on malware recognition, not malware creation. For the exam, focus on what a virus or Trojan does after compromise and how it is delivered.

User execution is the key delivery event

The demonstration shows that both virus and Trojan infection begin when the victim is tricked into running a disguised file.

• →Download of a file presented as something harmless or desirable
• →Execution of the file by the user
• →Malicious behavior begins after the program is opened

Legacy systems are easier malware targets

an unsupported Windows 7 system to show that unpatched, legacy hosts are more vulnerable to compromise than modern, defended systems.

• →No new security patches for unsupported operating systems
• →Known vulnerabilities remain exposed
• →Modern anti-malware tools are more likely to block older malware on newer systems

Remote Access Trojan (RAT) post-compromise capabilities

A RAT can provide broad attacker control over the victim endpoint after execution.

• →Collect system and host information
• →Capture screenshots or webcam data
• →Browse, copy, or exfiltrate files
• →Modify registry or desktop settings
• →Send messages or manipulate the user interface

Primary ransomware behavior

Ransomware blocks access to systems or data by encrypting files and then demanding payment in exchange for a decryption key.

Real-world impact can extend beyond IT systems

Colonial Pipeline and University Hospital Dusseldorf to show that ransomware can disrupt critical infrastructure and create real-world safety consequences.

• →Operational shutdowns and service outages
• →Supply disruption and financial impact
• →Patient diversion and life-safety consequences in healthcare environments

4 preventive controls

four practices that reduce ransomware risk and improve resilience:

• →Conduct regular backups, including offline or offsite copies
• →Install software and operating system updates regularly
• →Provide security awareness training to end users
• →Implement Multi-Factor Authentication (MFA)

4 response priorities after infection

these immediate response actions when ransomware is detected:

• →Do not pay the ransom
• →Disconnect the affected system from the network
• →Follow organizational incident response processes and notify authorities as appropriate
• →Restore systems and data from known good backups after malware removal

Botnet structure

A botnet is built by compromising many devices and grouping them under remote attacker control.

• →Each compromised device is a zombie
• →The attacker controls zombies through a Command and Control (C2) node
• →Hundreds, thousands, or millions of zombies can act as one malicious network

Common botnet uses

several ways attackers use the combined resources of compromised systems:

• →Distributed Denial of Service (DDoS) attacks
• →Spam and phishing distribution
• →Cryptocurrency mining
• →Breaking encryption through distributed brute-force processing
• →Using zombies as pivot points to reach additional victims

Resource use is often limited to avoid detection

Attackers often use only part of a victim's processing power so the compromise is less obvious.

• →Using 20 to 25% of processing power is less noticeable
• →Using nearly all CPU would make the device unresponsive
• →Lower visible impact helps the zombie remain in the botnet longer

Why backdoors are insecure

Historically, programmers added backdoors to simplify maintenance access, but modern secure coding treats them as a serious security weakness.

• →Bypass normal authentication and firewall protections
• →Create hidden access paths into the application or system
• →Violate secure coding best practices

Backdoor vs RAT distinction

these concepts but they are not identical.

• →Backdoor: the hidden bypass method that avoids normal authentication or security controls
• →RAT: malware that gives the attacker remote access and may act like a backdoor after infection
• →Exam focus: a programmer-created hidden maintenance path points to a backdoor, while attacker-installed remote control points to a RAT

Easter Egg vs logic bomb

Both involve hidden code, but harmless novelty is distinct from malicious intent.

• →Easter Egg: hidden joke, novelty, or secret feature
• →Logic bomb: malicious code with a conditional trigger
• →Exam focus: logic bomb includes harmful intent and a trigger condition

Common logic bomb trigger pattern

A logic bomb waits for a predefined state, event, or time before executing a harmful action.

• →Specific time or date is reached
• →Specific account or system condition changes
• →Malicious action executes only after the trigger is satisfied

Why keyloggers are dangerous

Keyloggers are stealthy and effective because they capture data exactly as the victim types it.

• →Usernames and passwords can be stolen directly from keystrokes
• →Financial and personal information can be captured without visible warning
• →Captured data can enable identity theft, fraud, or espionage

Software vs hardware keylogger distinction

scale-friendly malware delivery from physically installed devices.

• →Software keylogger: delivered through malware bundling or social engineering
• →Hardware keylogger: requires physical access to install
• →Hardware keylogger: harder to scale but avoids software-only detection

Business impact can exceed personal theft

In enterprise environments, keyloggers can expose more than just credentials.

• →Confidential emails and proprietary data may be captured
• →Strategic plans and internal communications may be exposed
• →Financial, legal, and reputational damage can follow

Primary defense stack

six complementary ways to reduce keylogger risk:

• →Patch and update systems regularly
• →Use antivirus and anti-malware with regular scans
• →Train users against phishing and pretexting
• →Implement Multi-Factor Authentication (MFA)
• →Use keystroke encryption
• →Inspect hardware for unfamiliar devices

What spyware captures

that spyware targets both behavioral data and sensitive information.

• →Browsing habits and software usage patterns
• →Passwords and credit card numbers
• →Other personal or organizational data

Typical spyware delivery paths

Spyware often reaches systems through deceptive or bundled software distribution.

• →Bundled software installers
• →Malicious websites
• →Deceptive pop-up advertisements

Why bloatware still matters

Bloatware is usually not malicious, but it still creates operational and security problems.

• →Consumes storage and RAM
• →Slows overall device performance
• →Increases attack surface because unnecessary software may contain exploitable bugs

Primary defenses and cleanup actions

preventive and corrective actions for both spyware and bloatware:

• →Use updated antivirus and anti-spyware tools
• →Download software only from trusted sources
• →Review the EULA for data collection disclosures
• →Patch operating systems and applications
• →Remove unwanted software manually or with removal tools
• →Use a clean operating system installation for new devices when appropriate

Traditional vs fileless malware execution

older file-based infection methods with modern in-memory execution.

• →Traditional malware modifies executables or embeds malicious macros in documents
• →Some worms infect memory and spread over the network
• →Fileless malware executes in memory as scripts or shellcode and leaves fewer file artifacts

Why fileless malware is harder to detect

Modern malware reduces reliance on the file system to evade signature-based defenses.

• →Bypasses signature-based antivirus and anti-malware tools more easily
• →Creates malicious processes directly in system memory
• →May erase temporary file traces after execution

Two-stage malware deployment model

a staged infection sequence commonly used in enterprise compromises.

• →Stage one: a dropper or downloader gains execution and retrieves additional code
• →Stage two: more tooling such as a Remote Access Trojan (RAT) is installed to establish command and control
• →After access is established, the attacker expands compromise and pursues action on objectives

Post-compromise workflow

After initial infection, the attacker moves through expansion, objective execution, and concealment.

• →Spread laterally and target servers or domain controllers
• →Conduct action on objectives such as exfiltration or ransomware
• →Hide activity through concealment and log removal

Malware deployment and anti-forensic techniques

several execution and evasion methods used to disguise malicious activity.

• →Code injection, masquerading, DLL injection, DLL sideloading, and process hollowing
• →Encryption, compression, and obfuscation to hinder analysis
• →Living off the land through built-in tools such as PowerShell

9 malware indicators

Common signs of possible malware activity include:

• →Account lockouts: repeated failed logins trigger user lockouts, often signaling credential attacks
• →Concurrent session utilization: one account shows multiple simultaneous sessions, suggesting hijacked access
• →Blocked content: security tools suddenly block more files or links, indicating malware-related activity
• →Impossible travel: the same account appears in distant places too quickly to be legitimate
• →Resource consumption: unusual CPU, memory, or bandwidth spikes may reflect malware execution
• →Resource inaccessibility: files or systems become unavailable, often due to ransomware encryption
• →Out-of-cycle logging: logs appear at unusual times that do not match expected operations
• →Missing logs: logs are deleted or absent, suggesting concealment after compromise
• →Published or documented attacks: outside reporting confirms the organization is part of a malware campaign

Account and session anomalies can signal compromise

Several indicators revolve around stolen credentials or unauthorized account use.

• →Unexpected account lockouts may reflect brute-force or credential abuse
• →Concurrent sessions on one account may indicate hijacked access
• →Impossible travel often points to credential theft after compromise

Performance and access symptoms can reveal active malware

system degradation and loss of access to malware behavior.

• →High CPU, memory, or bandwidth use may indicate cryptominers, botnets, or worms
• →System slowdowns can make resource abuse noticeable
• →Inaccessible files or ransom messages strongly indicate ransomware

Log irregularities are high-value detection signals

Unexpected or missing logs often reveal attacker activity or concealment attempts.

• →Out-of-cycle logs may show unauthorized activity at unusual hours
• →Missing logs may mean an attacker deleted evidence
• →Regular log review is necessary to catch subtle malware indicators