MALWARE FAMILY DESCRIPTIONS
AcidRain
AcidRain is a destructive malware reported on 24 February 2022 targeting Viasat modems. Coinciding with the Russian ground invasion of Ukraine, AcidRain attack on satellite communication systems caused widespread disruption to communication systems providing services to Ukraine.
AgentTesla
AgentTesla is an advanced RAT which functions as a keylogger and password stealer and has been active since 2014. AgentTesla can monitor and collect the victim's keyboard input and system clipboard, and can record screenshots and exfiltrate credentials for a variety of software installed on a victim's machine (including Google Chrome, Mozilla Firefox and Microsoft Outlook email client). AgentTesla is sold on various online markets and hacking forums.
AlienBot
AlienBot is a banking Trojan for Android, sold underground as Malware-as-a-Service (MaaS). It supports keylogging, dynamic overlays for credentials theft, as well as SMS harvesting for 2FA bypass. Additional remote control capabilities are provided using a TeamViewer module.
Anubis
Anubis is a banking Trojan malware designed for Android mobile phones. Since it was initially detected, it has gained additional functions including Remote Access Trojan (RAT) functionality, keylogger, audio recording capabilities and various ransomware features. It has been detected on hundreds of different applications available in the Google Store.
AZORult
AZORult is a Trojan that gathers and exfiltrates data from the infected system. Once the malware is installed on a system, it can send saved passwords, local files, crypto-wallet data, and computer profile information to a remote C&C server. The Gazorp builder, available on the Dark Web, allows anyone to host an Azorult C&C server with moderately low effort.
Azov
Azov is a data wiper first reported in November 2022 and mostly being spread via SmokeLoader malware. The ransom note left on victim systems blames security researchers and political entities for the fighting in Ukraine.
Bazar
Discovered in 2020, Bazar Loader and Bazar Backdoor are used in the initial stages of infection by the WizardSpider cybercrime gang. The loader is responsible for fetching the next stages, and the backdoor is meant for persistence. The infections are usually followed by a full-scale ransomware deployment, using Conti or Ryuk.
BlackMatter
BlackMatter is a ransomware operated in a RaaS model. The malware has been active since 2021 with victims including multiple US critical infrastructure entities. BlackMatter is possibly a rebranding of the DarkSide ransomware
Bumblebee
BumbleBee is a new loader that is active since the beginning of 2022 and is used to deliver other payloads. Bumblebee payloads vary greatly based on the type of victim. Infected standalone computers will likely be hit with banking trojans or infostealers, whereas organizational networks can expect to be hit with more advanced post-exploitation tools such as CobaltStrike.
Conti
Conti ransomware emerged in 2020 and has been used since in multiple attacks against organizations worldwide. Conti ransomware is delivered as the final stage after a successful intrusion into the victims' network. Initial intrusion might be performed using spearphishing campaigns, stolen or weak credentials for RDP, or phone-based social engineering campaigns.
CryWiper
CryWiper is a data-wiping malware disguised as ransomware used in 2022 to attack Russian public sector entities. Despite payment demands displayed in a ransom note, files encrypted by CryWiper cannot be restored.
Cl0p
Cl0p is a ransomware that was first discovered in early 2019 and mostly targets large firms and corporations. During 2020, Cl0p operators began exercising a double-extortion strategy, where in addition to encrypting the victim's data, the attackers also threaten to publish stolen information unless ransom demands are met. In 2021 Cl0p ransomware was used in numerous attacks where the initial access was gained by utilizing zero-day vulnerabilities in the Accellion File Transfer Appliance.
Dracarys
Dracarys is an Android infostealer discovered in 2022, used by the Bitter APT group to steal contacts, messages, call logs, screenshots, and more.
Dridex
Dridex is a Banking Trojan turned botnet, that targets the Windows platform. It is delivered by spam campaigns and Exploit Kits, and relies on WebInjects to intercept and redirect banking credentials to an attacker-controlled server. Dridex contacts a remote server, sends information about the infected system, and can also download and execute additional modules for remote control.
Dustman / ZeroCleare
Dustman is a wiper, first detected in December 2019, targeting Middle Eastern entities. Dustman is a variant of the ZeroCleare wiper and has code similarities with Shamoon malware.
Emotet
Emotet is an advanced, self-propagating and modular Trojan. Emotet was once used to employ as a banking Trojan, and now is used as a distributer for other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, Emotet can also be spread through phishing spam emails containing malicious attachments or links.
FormBook
FormBook is an Infostealer targeting the Windows OS and was first detected in 2016. It is marketed as Malware as a Service (MaaS) in underground hacking forums for its strong evasion techniques and relatively low price. FormBook harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to orders from its C&C.
Glupteba
Known since 2011, Glupteba is a Windows backdoor which gradually matured into a botnet. By 2019 it included a C&C address update mechanism through public BitCoin lists, an integral browser stealer capability and a router exploiter.
GuLoader
GuLoader is a downloader first reported in 2019. Since then it was used to distribute various malware including Lokibot, NanoCore, Formbook, Azorult, Remcos and more.
HermeticRansom
In early 2022, HermeticRansom malware was utilized to distract victims while HermeticWiper attacks were launched against organizations in Ukraine. These attacks rendered devices inoperable and as such were destructive in nature and not financially motivated.
Hiddad
Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it also can gain access to key security details built into the OS.
Hive
Hive ransomware emerged in June 2021 and uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network. Hive involves both encryption and data exfiltration and operate a “leak site” over Tor.
Hydra
Hydra in an Android banking Trojan discovered in 2019 distributed through infected applications on Google Play Store.
IcedID
IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography, and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks.
Joker
Joker, an Android mobile malware known since 2017, is a stealer capable of accessing SMS messages, contact lists and device information. Joker generates income mostly through unauthorized subscriptions to paid premium services.
Kinsing
Discovered in 2020, Kinsing is a Golang cryptominer with a rootkit component. Originally designed to exploit Linux systems, Kinsing was installed on compromised servers by abusing vulnerabilities on internet facing services. Later in 2021 a Windows variant of the
LemonDuck
LemonDuck is a cryptominer first discovered in 2018, which targets Windows systems. It has advanced propagation modules, including sending malspam, RDP brute-forcing and mass-exploitation via known vulnerabilities such as BlueKeep. Over time it was observed to harvest emails and credentials, as well as to deliver other malware families, like Ramnit.
LockBit
LockBit is a ransomware, operating in a RaaS model, first reported in September 2019. LockBit targets large enterprises and government entities from various countries, abstaining from Russian or other Commonwealth of Independent States victims.
Lokibot
LokiBot is commodity infostealer for Windows. It harvests credentials from a variety of applications, web browsers, email clients, IT administration tools such as PuTTY, and more. LokiBot has been sold on hacking forums and believed to have had its source code leaked, thus allowing for a range of variants to appear. It was first identified in February 2016.
Mylobot
Mylobot is a sophisticated botnet that first emerged in June 2018 and is equipped with complex evasion techniques including anti-VM, anti-sandbox, and anti-debugging techniques. The botnet allows an attacker to take complete control of the user's system, downloading any additional payload from its C&C.
Nanocore
NanoCore is a Remote Access Trojan that targets Windows operating system users and was first observed in the wild in 2013. All versions of the RAT contain basic plugins and functionalities such as screen capture, crypto currency mining, remote control of the desktop and webcam session theft.
njRAT
njRAT, aka Bladabindi, is a RAT developed by the M38dHhM hacking group. First reported in 2012 it has been used primarily against targets in the Middle East.
Pegasus
Pegasus is a highly sophisticated spyware which targets Android and iOS mobile devices, developed by the Israeli NSO group. The malware is offered for sale, mostly to government-related organizations and corporates. Pegasus can leverage vulnerabilities which allow it to silently jailbreak the device and install the malware.
Phobos
Phobos is a ransomware first detected in December 2018. It targets windows operating systems and its attack vector often includes exploiting open or poorly secured RDP ports. Phobos bears great resemblance to the Dharma ransomware, both in its ransom note and with much of its code and is thought to have been developed and used by the same group.
Phorpiex
Phorpiex is a botnet that has been active since 2010 and at its peak controlled more than a million infected hosts. It is known for distributing other malware families via spam campaigns as well as fueling large-scale spam and sextortion campaigns.
Ponystealer
PonyStealer is an infostealer used for stealing passwords from a large number of applications including VPNs, FTP clients, email programs, instant messaging tools, and web browsers.
Qbot
Qbot AKA Qakbot is a banking Trojan that first appeared in 2008. It was designed to steal a user’s banking credentials and keystrokes.Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques to hinder analysis and evade detection.
Quantum
Quantum is a rasnomware operated in a RaaS model. The malware has been discovered in 2021 with victims including multiple healthcare entities. Investigators link Quantoum to ex-Conti actors.
Raccoon
Raccoon infostealer was first observed in April 2019.This infostealer targets Windows systems and is sold as a MaaS (Malware-as-a-Service) in underground forums.It is a simple infostealer capable of collecting browser cookies, history, login credentials, crypto currency wallets and credit card information.
Ramnit
Ramnit is a modular banking Trojan first discovered in 2010. Ramnit steals web session information, giving its operators the ability to steal account credentials for all services used by the victim, including bank accounts, and corporate and social networks accounts. The Trojan uses both hardcoded domains as well as domains generated by a DGA (Domain Generation Algorithm) to contact the C&C server and download additional modules.
RansomEXX
RansomEXX is a ransomware operated in a RaaS model with both Windows and Linux variants. The malware has been active since 2020 targeting mostly large corporations.
Raspberry Robin
Raspberry Robin is a multipurpose malware initially distributed through infected USB devices with worm capabilities.
RedLine Stealer
RedLine Stealer is a trending Infostealer and was first observed in March 2020. Sold as a MaaS (Malware-as-a-Service), and often distributed via malicious email attachments, it has all the capabilities of modern infostealer - web browser information collection (credit card details, session cookies and autocomplete data), harvesting of cryptocurrency wallets, ability to download additional payloads, and more.
Remcos
Remcos is a RAT that first appeared in the wild in 2016. Remcos distributes itself through malicious Microsoft Office documents, which are attached to SPAM emails, and is designed to bypass Microsoft Windows UAC security and execute malware with high-level privileges.
REvil
REvil (aka Sodinokibi) is a Ransomware-as-a-service which operates an “affiliates” program and was first spotted in the wild in 2019. REvil encrypts data in the user’s directory and deletes shadow copy backups to make data recovery more difficult. In addition, REvil affiliates use various tactics to spread it, including through spam and server exploits, as well as hacking into managed service providers (MSP) backends, and through malvertising campaigns that redirect to the RIG Exploit Kit.
Sharkbot
Sharkbot steals credentials and banking information on Android mobile devices. Sharkbot lures victims to enter their credentials in windows that mimic benign credential input forms. When the user enters credentials in these windows, the compromised data is sent to a malicious server. The malware implements geofencing feature excluding users from China, India, Romania, Russia, Ukraine or Belarus. Sharkbot has several anti-sandbox evasion techniques.
Snake Keylogger
Snake Keylogger is a modular .NET keylogger/infostealer. Surfaced around late 2020, it grew fast in popularity among cyber criminals.Snake is capable of recording keystrokes, taking screenshots, harvesting credentials and clipboard content. It supports exfiltration of the stolen data by both HTTP and SMTP protocols.
Somnia
Somnia is a type of ransomware that was deployed by the FRwL (From Russia with Love) group against Ukrainian entities in November 2022. Victims of Somnia were not asked to pay for decryption. The goal of the attackers was to disrupt systems, rather than to achieve financial gain.
Stuxnet
Stuxnet is a malicious computer worm discovered in 2010 that targeted and disrupted the Iranian nuclear program. It caused physical damage to equipment by manipulating industrial control systems and was the first publicly known example of nation-state cyberattacks.
Triada
Triada which was first spotted in 2016, is a modular backdoor for Android which grants admin privileges to download another malware. Its latest version is distributed via adware development kits in WhatsApp for Android.
Trickbot
Trickbot is a modular banking Trojan, attributed to the WizardSpider cybercrime gang. Mostly delivered via spam campaigns or other malware families such as Emotet and BazarLoader. Trickbot sends information about the infected system and can also download and execute arbitrary modules from a large array of available modules, including a VNC module for remote control and an SMB module for spreading within a compromised network. Once a machine is infected, the threat actors behind this malware, utilize this wide array of modules not only to steal banking credentials from the target PC, but also for lateral movement and reconnaissance on the targeted organization itself, prior to delivering a company-wide targeted ransomware attack.
Vidar
Vidar is an infostealer that targets Windows operating systems. First detected at the end of 2018, it is designed to steal passwords, credit card data and other sensitive information from various web browsers and digital wallets. Vidar is sold on various online forums and used as a malware dropper to download GandCrab ransomware as its secondary payload.
WannaMine
WannaMine is a sophisticated Monero crypto-mining worm that spreads the EternalBlue exploit. WannaMine implements a spreading mechanism and persistence techniques by leveraging the Windows Management Instrumentation (WMI) permanent event subscriptions.
Whispergate
WhisperGate is a destructive malware first reported in January 2022 and used to target organizations in Ukraine. The malware is one of a series of wiping malware targeting Ukrainian organizations during the Russian-Ukrainian war. WhisperGate damages the system's MBR while displaying a false ransom message.
XMRig
XMRig is open-source CPU mining software used to mine the Monero cryptocurrency. Threat actors often abuse this open-source software by integrating it into their malware to conduct illegal mining on victims’ devices.
ZeroCleare
ZeroCleare is a destructive wiper malware that was first identified in December 2020. It has been used in targeted attacks against organizations in the Middle East, and is notable for its ability to evade detection and wipe both hard drives and backup systems. ZeroCleare is believed to be the work of a state-sponsored hacking group.