MALWARE FAMILY DESCRIPTIONS

A

AgentTesla

AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim's keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.

AlienBot

AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.

Anubis

Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.

AZORult

AZORult is a Trojan that gathers and exfiltrates data from the infected system. Once the malware is installed on a system, it can send saved passwords, local files, crypto-wallet data, and computer profile information to a remote C&C server. The Gazorp builder, available on the Dark Web, allows anyone to host an Azorult C&C server with moderately low effort.
B

Bazar

Discovered in 2020, Bazar Loader and Bazar Backdoor are used in the initial stages of infection by the WizardSpider cybercrime gang. The loader is responsible for fetching the next stages, and the backdoor is meant for persistence. The infections are usually followed by a full-scale ransomware deployment, using Conti or Ryuk.

Bumblebee

BumbleBee is a Loader. The malware is likely the latest addition to the Conti gang, designed to replace the BazarLoader backdoor used to deliver ransomware payloads. Attackers drop Bumblebee via ISO and DLL attachemnts in email campaigns, to deploy Cobalt Strike.
C

Cerberus

First seen in the wild in June 2019, Cerberus is a Remote Access Trojan (RAT) with specific banking screen overlay functions for Android devices. Cerberus operates in a Malware as a Service (MaaS) model, taking the place of discontinued bankers like Anubis and Exobot. Its features include SMS control, key-logging, audio recording, location tracker, and more.

Conti

Conti ransomware emerged in 2020 and has been used since in multiple attacks against organizations worldwide. Conti ransomware is delivered as the final stage after a successful intrusion into the victims' network. Initial intrusion might be performed using spearphishing campaigns, stolen or weak credentials for RDP, or phone-based social engineering campaigns.

Cryptobot

Cryptobot is an advanced cryptominer that collects the victim’s wallet and account information upon infection. In December 2021 Cryptobot was observed in a campaign that targeted users with a pirated copy of the Windows operating system.

Cl0p

Cl0p is a ransomware that was first discovered in early 2019 and mostly targets large firms and corporations. During 2020, Cl0p operators began exercising a double-extortion strategy, where in addition to encrypting the victim's data, the attackers also threaten to publish stolen information unless ransom demands are met. In 2021 Cl0p ransomware was used in numerous attacks where the initial access was gained by utilizing zero-day vulnerabilities in the Accellion File Transfer Appliance.
D

Danabot

Danabot is a modular banking Trojan written in Delphi that targets the Windows platform. The malware, which was first observed in 2018, is distributed via malicious spam emails. Once a device is infected, the malware downloads updated configuration code and other modules from the C&C server. Available modules include a “sniffer” to intercept credentials, a “stealer” to steal passwords from popular applications, a “VNC” module for remote control, and more.

Darkgate

Darkgate is a multifunction malware active since December 2017 which combines ransomware, credential stealing, and RAT and cryptomining abilities. Targeting mostly the Windows OS, DarkGate employs a variety of evasion techniques.

Dridex

Dridex is a Banking Trojan turned botnet, that targets the Windows platform. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.
E

Emotet

Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used to employ as a banking Trojan, and now is used as a distributer for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, Emotet can also be spread through phishing spam emails containing malicious attachments or links.
F

FluBot

FluBot is an Android malware distributed via phishing SMS messages (Smishing), most often impersonating logistics delivery brands. Once the user clicks the link inside the message, they are redirected to the download of a fake application containing FluBot. Once installed the malware has various capabilities to harvest credentials and support the Smishing operation itself, including uploading of the contacts list, as well as sending SMS messages to other phone numbers.

FormBook

FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
G

Glupteba

Known since 2011, Glupteba is a Windows backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
H

HermeticWiper

HermeticWiper is a Wiper that has been targeting hundreds of computers in Ukraine. The Wiper appears to have been compiled in December 2021, which implies that the attack was premeditated for at least a couple of months.

Hiddad

Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it also can gain access to key security details built into the OS.

Hive

Hive ransomware emerged in June 2021and uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network. Hive involves both encryption and data exfiltration and operate a “leak site” over Tor.
I

IcedID

IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
K

Kinsing

Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services. Later in 2021 a Windows variant of the malware was developed as well, allowing the attackers to increase their attack surface.
L

LAPSUS$

LAPSUS$ is a data extortion group that specializes in stealing data from big companies and threatening to publish it. The group gains initial access to targets mostly via social engineering, which involves bribing or tricking employees at the target organization or at its partners. LAPSUS$ recent victims include big names such as Samsung, NVIDIA, and Okta.

LemonDuck

LemonDuck is a cryptominer first discovered in 2018, which targets Windows systems. It has advanced propagation modules, including sending malspam, RDP brute-forcing and mass-exploitation via known vulnerabilities such as BlueKeep. Over time it was observed to harvest emails and credentials, as well as to deliver other malware families, like Ramnit.

Lokibot

LokiBot is commodity infostealer for Windows. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY, and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, thus allowing for a range of variants to appear. It was first identified in February 2016.
M

MaliBot

Malibot is an Android Banking malware that has been spotted targeting users in Spain and Italy. The banker disguises itself as crypto mining applications under different names and focuses on stealing financial information, crypto wallets and more personal data.

Mirai

Mirai is an infamous Internet-of-Things (IoT) malware that tracks vulnerable IoT devices, such as web cameras, modems and routers, and turns them into bots. The botnet is used by its operators to conduct massive Distributed Denial of Service (DDoS) attacks. The Mirai botnet first surfaced in September 2016 and quickly made headlines due to some large-scale attacks including a massive DDoS attack used to knock the entire country of Liberia offline, and a DDoS attack against the Internet infrastructure firm Dyn, which provides a significant portion of the United States internet's infrastructure.

Mylobot

Mylobot is a sophisticated botnet that first emerged in June 2018 and is equipped with complex evasion techniques including anti-VM, anti-sandbox, and anti-debugging techniques. The botnet allows an attacker to take complete control of the user's system, downloading any additional payload from its C&C.
N

Nanocore

NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
P

Pegasus

Pegasus is a highly sophisticated spyware which targets Android and iOS mobile devices, developed by the Israeli NSO group. The malware is offered for sale, mostly to government-related organizations and corporates. Pegasus can leverage vulnerabilities which allow it to silently jailbreak the device and install the malware. The malware infects its targets via several means: Spear phishing SMS messages which contains a malicious link or URL redirect, without any action required from the user (“Zero Click”), and more. The app features multiple spying modules such as screenshot taking, call recording, access to messaging applications, keylogging and browser history exfiltration.

Phobos

Phobos is a ransomware first detected in December 2018. It targets windows operating systems and its attack vector often includes exploiting open or poorly secured RDP ports. Phobos bears great resemblance to the Dharma ransomware, both in its ransom note and with much of its code and is thought to have been developed and used by the same group.

Phorpiex

Phorpiex is a botnet (aka Trik) that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
Q

Qbot

Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
R

Raccoon

Raccoon infostealer was first observed in April 2019. This infostealer targets Windows systems and is sold as a MaaS (Malware-as-a-Service) in underground forums.It is a simple infostealer capable of collecting browser cookies, history, login credentials, crypto currency wallets and credit card information.

Ragnar Locker

Ragnar Locker is a ransomware first discovered in Dec. 2019. It deploys sophisticated evasion techniques including deployment as a virtual machine on targeted systems to hide its activity. Ragnar was used in an attack against Portugal’s national electric company in a double-extortion act where the attackers published sensitive data stolen from the victim.

Ramnit

Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.

RedLine Stealer

RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer - web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.

Remcos

Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windowss UAC security and execute malware with high-level privileges.

RigEK

The oldest and best known of the currently operating Exploit Kits, RigEK has been around since mid-2014. Its services are offered for sale on hacking forums and the TOR Network. Some “entrepreneurs” even re-sell low-volume infections for those malware developers not yet big enough to afford the full-fledged service. RigEK has evolved over the years to deliver anything from AZORult and Dridex to little-known ransomware and cryptominers.

Rubyminer

Rubyminer was first seen in the wild in January 2018 and targets both Windows and Linux servers. Rubyminer seeks vulnerable web servers (such as PHP, Microsoft IIS, and Ruby on Rails) to use for cryptomining, using the open source Monero miner XMRig.

Ryuk

Ryuk is a ransomware used by the TrickBot gang in targeted and well-planned attacks against several organizations worldwide. The ransomware was originally derived from the Hermes ransomware, whose technical capabilities are relatively low, and includes a basic dropper and a straight-forward encryption scheme. Nevertheless, Ryuk was able to cause severe damage to targeted organizations, forcing them to pay extremely high ransom payments in Bitcoin. Unlike common ransomware, systematically distributed via massive spam campaigns and Exploit Kits, Ryuk is used exclusively in tailored attacks.

REvil

REvil (aka Sodinokibi) is a Ransomware-as-a-service which operates an “affiliates” program and was first spotted in the wild in 2019. REvil encrypts data in the user’s directory and deletes shadow copy backups to make data recovery more difficult. In addition, REvil affiliates use various tactics to spread it, including through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns that redirect to the RIG Exploit Kit.
S

Sharkbot

Sharkbot steals credentials and banking information on Android mobile devices. Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms. When the user enters credentials in these windows, the compromised data is sent to a malicious server. The malware implements geofencing feature excluding users from China, India, Romania, Russia, Ukraine or Belarus. Sharkbot has several anti-sandbox evasion techniques.

Snake Keylogger

Snake Keylogger is a modular .NET keylogger/infostealer. Surfaced around late 2020, it grew fast in popularity among cyber criminals. Snake is capable of recording keystrokes, taking screenshots, harvesting credentials and clipboard content. It supports exfiltration of the stolen data by both HTTP and SMTP protocols.

SparrowDoor

SparrowDoor is an advanced backdoor used by the FamousSparrow APT group to spy on hotels, governments and more. It was spotted exploiting the Microsoft Exchange ProxyLogon vulnerability around March 2021. The backdoor is loaded using DLL Hijacking combined with a legitimate binary, to help bypass AV products.
T

Tofsee

Initially detected in 2013, Tofsee botnet targets Windows machines and has a variety of uses including spam distribution, DDoS attacks, crypto mining and more.

Triada

Triada which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download another malware. Its latest version is distributed via adware development kits in WhatsApp for Android.

Trickbot

Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack.
U

Ursnif

Ursnif is a variant of the Gozi banking Trojan for Windows, whose source code has been leaked online. It has man-in-the-browser capabilities to steal banking information and credentials for popular online services. In addition, it can steal information from local email clients, browsers and cryptocurrency wallets. Finally, it can download and execute additional files on the infected system.
V

Vidar

Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
W

WannaMine

WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.
X

Xenomorph

An android banking Trojan, first detected in February 2022 on Google Play. Xenomorph is designed to steal banking credentials, intercept multifactor authentication codes and other user data, heavily relying on an overlay attack mechanism.

xHelper

xHelper is an Android malware which mainly shows intrusive popup ads and notification spam. It is very hard to remove once installed due to its reinstallation capabilities. First observed in March 2019, xHelper has now infected more than 45,000 devices.

XMRig

XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
Z

Zloader

Zloader is a banking malware which uses webinjects to steal credentials and private information, and can extract passwords and cookies from the victim’s web browser. It downloads VNC that allows the threat actors to connect to the victim’s system and perform financial transactions from the user’s device. First seen in 2016, the Trojan is based on leaked code of the Zeus malware from 2011. In 2020, the malware is very popular among threat actors and includes many new variants.

z0Miner

Z0Miner, first observed in November 2020 is a cryptominer which was found on thousands of servers exploited by Oracle’s WebLogic Server Remote Code Execution flaw. The group behind Z0miner has since been taking advantage of the Atlassian Confluence RCE vulnerability (CVE-2021-26084), to infect additional servers.