Terms & Definitions

• Access Point - A wireless network device (ex: a router) that allows other devices to communicate with a network.
• Adware (Click Fraud) - A type of malware that generates pop-up advertisements, or links to ad-laden web pages, to generate illegitimate revenue.
• Android Malware - Malware that specifically targets Android devices.
• Attack Vector - The method used by an attacker to access or penetrate a system.
• Anti-Virus - Software that can prevent, detect, and/or remove malware.
• Backdoor - Any method by which an authorized or unauthorized user can gain root access to a network or computer system.
• Back End - The parts of a computer system or program’s code that are not visible to users, but allow the system/program to function.
• Backup - A copy of a system or data for file restoration or archival purposes.
• Bandwidth - A measurement of how much data can be transmitted over a network at any given time.
• Banking Trojan - A type of Trojan that will specifically steal credentials for online banking and payment systems.
• Blockchain Technology - A system for recording and protecting information via distributed ledgers (databases) that are digitally signed and linked via cryptography.
• Bot - An automated application or script designed to perform repetitive tasks without human input.
• Botnet - A collection of systems infected with malware that receive instructions to link up and conduct malicious activity. Botnets can consist of hundreds of thousands of infected machines, and are commonly used to mine Bitcoins and launch Distributed Denial of Service (DDoS) attacks.
• Browser Hijacker - A script or piece of malware designed to take over a web browser session to carry out malicious activities. This is often used to carry out Click Fraud.
• Brute Force Password Attack - An attack designed to guess login credentials by cycling through every possible combination of letters, numbers, and characters. Complex passwords would require a significant amount of time to guess correctly.
• Buffer - Physical memory storage used to temporarily store data while it is being moved from one place to another.
• Buffer Overflow - A vulnerability in which more information can be entered in a device’s memory than is reserved for the program. Attackers exploit this vulnerability to execute malicious code or gain access to other parts of a targeted system.
• Bugs - Flaws in a system (coding mistakes, extra code, etc.) that prevent a website or program from working correctly.
• Cloud Computing (The Cloud) - Data, programs, and other computing services that are stored, accessed, and delivered over the internet, not a local system.
• Command and Control Server - A server controlled by attackers that is responsible for sending commands to infected machines.
• Command Shell - A text-based interface that allows users to run commands on a system.
• Cookie - Small pieces of data stored on the user's computer by a web browser as a way for websites to remember information about an individual’s browsing session. These are often used to track login status and advertising profiles.
• Cryptocurrency - Digital currency that has its transactions recorded and verified via Blockchain technology.
• Cryptocurrency Mining Malware (Cryptojacking) - The unauthorized use of someone else’s computer to mine cryptocurrency using a script or malware. The only sign a user might notice is slower performance or lags in execution.
• Data Center - A location used to house computer systems.
• Data Leakage - Unauthorized transfer of information from a computer or data center to the outside world.
• Data Loss - The loss of data caused by an error or malicious activity.
• Data Mining - The process of discovering patterns within large data sets to predict an outcome.
• Defacement (Web Defacement) - An attack that changes the visual appearance of a website (the digital version of graffiti) and potentially adds malware to it.
• Denial of Service (DDoS) - A single system is used to disrupt the internet use of a user or service by flooding its connection with useless information.
• Dialer - Software that dials telephone numbers automatically.
• Dictionary Attack - Password guessing attempts using files that contain lists of common passwords.
• Distributed Denial of Service (DDoS) - Multiple systems are used to disrupt service or internet connection by flooding it with useless information.
• Domain-based Message Authentication, Reporting, and Conformance (DMARC) - An email authentication policy and reporting protocol.
• Domain Name - The primary web address for a particular website and its subordinate pages. For example, in www.cisecurity[.]org/jobs, “www.cisecurity.org” would be the domain name.
• Domain Hijacking - An attack where a web address is stolen.
• Domain Name System (DNS) - Translates regular domain names (ex: www.cisecurity[.]org) to machine-readable IP addresses.
• Doxing - The publication of private information identifying an individual, often with malicious intent.
• Drive-by Download - Content is automatically downloaded when a web page is loaded by the web browser. These downloads are usually unintentional.
• DNS Hijacking (DNS redirection) - A type of attack where Domain Name Systems (DNS) queries are redirected to send users to malicious sites. Attackers can install malware on user computers, take over routers, or intercept DNS communication directly.
• Downloader (Dropper) - A type of malware (Trojan) that will download and install other malware or malicious files without the system owner’s knowledge.
• Email Bomb - An attack against an email server that is designed to inhibit its normal function, or render it completely unresponsive. Some email bombs can be accidental or self-inflicted, such as a “reply-all” email bomb.
• Encryption - Converting information from a readable form to an encoded form to prevent unauthorized use.
• Exploit - Any object (ex: a program, piece of code, etc.) that can take advantage of a vulnerability in a program or operating system.
• Exploit Kit - A pre-packaged set of exploits that use compromised sites to divert web traffic, scan for vulnerable applications, and execute malware.
• Fake Anti-Virus (FakeAV) - Malware designed to look like an anti-virus program, usually as a scam to scare victims into paying money for the “anti-virus” to clean all of the infections on a device. However the “anti-virus” can actually download malware and create a backdoor for further exploitation.
• Firewall - A system that monitors inbound/outbound network traffic and determines whether or not to allow it.
• Front End - The parts of a website that a user interacts with (ex: the home page of a news website).
• Hacktivism - Conducting cyberattacks or hacking for politically or socially motivated purposes.
• Hardware - Physical devices such as computers, phones, and their components. Hardware is the counterpart of software.
• Hashing - A mathematical process that produces a unique alphanumeric string for a specific file. This string can verify that the content of a message or data has not been tampered with in transit.
• Honeypot - A term used to describe a computer, server, or network that appears legitimate, and contains information or resources of value to attackers. Researchers use these to map how attackers behave.
• Hybrid Attack - Attacks carried out using multiple tools or methods.
• HyperText Markup Language (HTML) - Code that is used to structure a website.
• Hypertext Transfer Protocol Secure (HTTPS) - An internet communication protocol used to securely transmit information between a user’s browser and the website they are connected to.
• Indicator Sharing - Exchanging actionable threat intelligence between organizations.
• Information Disclosure Attack - An attack that takes advantage of vulnerabilities (insufficient protection of data, displaying of information in error messages, etc.) in web applications to retrieve information that could be stolen or used for further exploitation attempts.
• Infrastructure as a Service (IaaS) - The ability to rent infrastructure from a third party. An organization does not have physical control over the infrastructure but does have control over operating systems, applications, and possibly networking components (ex: firewalls).
• Infostealer - A trojan that steals information from a system and uploads that data to a remote server.
• Internet Message Access Protocol (IMAP) - The most common protocol for receiving email. IMAP stores the messages on a server, but allows a user to view and manipulate the messages as though they were stored on that individual’s device.
• Internet of Things (IoT) - Used to describe physical devices (other than computers, phones, and servers) that are connected to the internet and can collect and share data.
• iOS Malware - Malware that specifically targets iOS (Apple) devices.
• Internet Protocol (IP) Address - A unique identifying number that every device connected to the internet possesses. IP addresses allow information to be sent between devices.
• IP/GeoIP Lookup - Used to discover the location of an IP address.
• Keylogger - Application or device designed to track and record keystrokes on a system. This is usually used to steal credentials.
• Kill Chain - The process threat actors use for attacking a system. It consists of researching targets, weaponization of malware specific to the target, deployment techniques, exploiting vulnerabilities in specific software, installing malware, command and control establishment, and completing objectives.
• Local Area Network (LAN) - A network that extends over a small geographical area.
• Macros - A series of commands and instructions grouped as a single command to automate a task.
• Mainframe - A large computer capable of supporting hundreds or thousands of users simultaneously.
• Malicious Browser Extension - Browser extensions customized to compromise the security of a system.
• Malspam - A malicious spam email that delivers malware. While generic spam refers to unsolicited emails, malspam contains specific infected attachments, phishing messages, or malicious links/URLs.
• Malvertisement (Malvertising) - The use of online advertising to spread malware and compromise systems. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
• Malware - A program, software, or firmware intended to perform an unauthorized action that adversely impacts the confidentiality, integrity, or availability of a system.
• Malware Campaign - Malicious activity being carried out on a large scale against multiple targets by threat actors using certain tactics, techniques, and procedures (TTP).
• Man-in-the-Middle - When an attacker intercepts the connection between a device and the website or application in use and gains access to the user's inbound and outbound traffic.
• Mass Mailer - An automated program that distributes content to a large number of accounts.
• Mobile Malware - Malware that specifically targets mobile devices to steal data.
• Modem - A device that converts data so that it can be transmitted through a wire/cable.
• Multi-Factor Authentication (MFA) - A method that requires two or more distinct authentication factors for successful authentication. Potential factors include something you know, something you have, something you are, somewhere you are, or something you do. A common example is logging in to an account by having a code sent to your phone which you then enter on the webpage.
• Network - A group of systems that are connected and can share information.
• Network Address Translation (NAT) - A standard that enables a Local Area Network (LAN) to use multiple internal IP addresses and ensure that communications are routed to the appropriate system.
• Network as a Service (NaaS) - Third parties selling cloud-based network services.
• Patching - Updating an application to fix a vulnerability.
• Payload - Malware that an attacker delivers to a victim.
• Peer to Peer (P2P) - A group of devices connected that form a network where resources and data (ex: files) can be shared.
• Pentesting - A security exercise that simulates a cyberattack to check for vulnerabilities that an attacker could take advantage of.
• Phishing - A term used to describe spam emails that attempt to elicit a response by having the recipient click a link or open an attachment. This is commonly used to spread malware and infect users who are not aware of the dangers.
• PHP: Hypertext Processor - An open-source scripting language that is primarily used for web development.
• Platform as a Service (PaaS) - A third party that supplies an environment for an organization to develop, test, deliver, and manage software applications.
• Point of Sale Malware - Malware designed to steal payment card data from point of sale devices and systems.
• Policy Violation - Disobeying or not adhering to a company’s guidelines and policies.
• Potentially Unwanted Program (PUP) - A separate and potentially malicious program/application that is downloaded in addition to the program/application a user intended to download.
• Proxy Malware - Malware that turns infected systems into intermediaries and allows network traffic to go through them.
• Proxy Servers - Servers that act as an intermediary for internet requests. They are used to mask traffic, protect data, and prevent unauthorized access to a system.
• Quality of Service (QoS) - Technology built into networking that guarantees a certain level of performance.
• Random Access Memory (RAM) - A device’s short-term memory that stores everything currently running on the device.
• Ransomware - A type of malware designed to block access to a computer system or files until the ransom amount is paid.
• Ransomware-as-a-Service (RaaS) - A ransomware developer sells or leases their ransomware variants to individuals or groups who then use it to carry out attacks. RaaS reduces the cost to perform ransomware attacks and can provide 24x7 customer support and a platform for managing the malware.
• Read-Only Memory (ROM) - Data that cannot be removed or modified – only read. ROM can be used to store programs that start a computer, diagnostics, and firmware (ex: a cartridge used for a video game​ console). This is what allows consoles to support various games, languages, settings, etc.
• Redirector - Redirects users from a URL to one that is a phishing website in order to steal credentials.
• Remote Access Trojan (RAT) - A type of malware that allows covert surveillance, a backdoor for administrative control, and unauthorized remote access to a victim's machine. A RAT is very dangerous because it enables intruders to get remote control of the compromised computer.
• Remote Code Execution - Used to describe a vulnerability that can be exploited without physical access to the device.
• Remote Desktop - A feature in a program or operating system that allows a user to remotely connect to a computer.
• Rootkit - A set of tools installed on a system that enables an attacker to gain control of that system without being detected.
• Router - A device for networking that forwards information between computer networks.
• Scam - Fake scheme that aims to take money or other information from a victim.
• Scanning - Searching for vulnerabilities on a computer network or internet service using a program (remote scanner).
• Scareware - A malware tactic that uses pop-up ads and social engineering to manipulate individuals into believing they need to download or buy software that may appear legitimate, but could contain malware.
• Sinkhole - A server designated to capture malicious network traffic and prevent infected computers from being controlled by attackers. A sinkhole can be used to re-direct an attacker’s network traffic to a server controlled by a security organization.
• Social Engineering - Manipulating individuals with the goal of having them leak sensitive information or carry out an action.
• Software - A program or set of instructions that tells a device what to do.
• Software as a Service (SaaS) - A software application that is delivered over the internet, typically on a subscription basis.
• Spam - Unwanted email messages.
• Spear Phishing - A phishing attack or campaign targeting a specific user or entity.
• Spoofing - The act of modifying traffic or network information to impersonate another system.
• Spyware - A type of malware that enables a user to obtain information about another user’s computer activities by transmitting data covertly from their hard drive.
• SSL Certificate - A small data file that authenticates the identity of a website, and allows secure connections from a web server to a browser.
• Structured Query Language (SQL) - A programming language used for databases.
• SQL Injection (SQLi) - A web attack technique that exploits vulnerabilities in websites, allowing an attacker to query the underlying database and access information.
• Suspicious Activity - Activity that can be seen as potentially malicious, but could also have legitimate uses. For example, an IP address that is scanning a system could be from an attacker, or could be from a harmless program.
• Suspicious Domain - A domain/website that is not safe to visit because it is associated with potentially malicious activity.
• Top-Level Domain (TLD) - The part of an internet address that comes after the last “dot.” For example, in www.cisecurity[.]org, the “org” is the TLD.
• Trojan - A type of malware that disguises itself as legitimate software.
• User Agent - Software that retrieves and presents web content for users. User-Agents are lines of code in headers that identify the application, operating system, vendor, and/or version, and are often used during cyber investigations.
• Virtual Machine (VM) - Uses software instead of a physical device to run programs and applications. A VM can run multiple operating systems on the same device, with each system acting as a separate computer.
• Virus - A type of computer program that replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected."
• Virtual Private Network (VPN) - Networks that encrypt and transmit data allowing a user to securely connect to the internet or access a remote network on an untrusted connection. This ensures that all transmitted data remains confidential.
• Voice over Internet Protocol (VoIP) - Protocol to transmit phone calls over the internet.
• Vulnerability - A flaw in hardware or software that an attacker could exploit.
• Vulnerable Software - Software that has a misconfiguration or vulnerability that could be exploited by an attacker to gain control.
• Wide Area Network (WAN) - A network that extends over a large geographical area.
• Web Cache - A piece of hardware or software that stores data such as images and font styles so that a website will load faster when visited repeatedly by a user.
• Web Servers - Used to store websites, applications, documents, etc. Web servers can be accessed through the internet by web browsers.
• Web Skimmer - A form of identity/internet payment theft, most often used to steal payment information.
• WebShell - Malicious script used to escalate access to a compromised web application.
• Worm - Malware that can self-replicate to spread to other uninfected computers while staying active on the currently infected systems.
• Wi-Fi Protected Access (WPA) - A standard of secure authentication for wireless networks.
• Zero-Day - A previously unknown vulnerability in a system that the vendor has not yet been patched. They are often exploited by attackers.

• Adobe Acrobat - A program that allows you to view, create, manipulate, print, and manage Portable Document Format (PDF) files.
• Adobe Bridge - An application that manages files across multiple Adobe programs.
• Adobe Coldfusion - A web application development platform.
• Adobe Experience Manager (AEM) - A content management system for building websites, mobile applications, and forms.
• Adobe Flash Player - A multimedia application used for internet applications, and streaming/viewing multimedia content.
• Adobe FrameMaker - A document processor.
• Adobe InDesign - An application for desktop publishing and typesetting software.
• Adobe Photoshop - A graphics editor.
• Adobe Reader - A program to view, create, manipulate, print, and manage Portable Document Format (PDF) files.
• ASP.NET - An open-source, server-side web application framework for web development.
• Android - An operating system developed by Google for mobile devices including smartphones, tablets, and watches.
• Apache Struts - An open-source framework for creating Java web applications.
• Apache Web Server - A free and open-source tool used to host websites.
• Autodesk FBX-SDK - A tool that converts content into filmbox (FBX) format (a format often used by game developers).
• BIG-IP - A family of products covering software and hardware designed around application availability, access control, and security.
• BitDefender SafePay - A protected web browser for secure, sensitive, online transactions.
• Cisco Jabber - An application that provides instant video, voice messaging, desktop sharing, and conferencing on any device.
• Citrix Application Delivery Controller - An appliance to help improve performance and security for web applications and database servers.
• Cisco Smart Software Manager - A licensing solution to assist individuals with asset management.
• Cisco Webex - A videoconferencing platform.
• Drupal - An open-source content management system.
• Google Chrome - A web browser.
• Grandstream UCM6200 Series - A system used to unify communication technologies within a business.
• HP Intelligence Management Center (iMC) - A software platform used to manage enterprise network environments.
• IBM Security Guardium Insights - A program to monitor traffic traveling across a network.
• IBM WebSphere Application Server - A software framework that hosts Java-based web applications.
• iCloud - A cloud storage service offered by Apple.
• iOS - An operating system for mobile devices including the iPhone and iPod.
• iPadOS - An operating system specifically for Apple iPads.
• Junos OS - An operating system used in Juniper Networks routers.
• Libgcrypt - An open-source software that supports encryption.
• Linux - An open-source operating system.
• macOS - An operating system for Apple computers.
• Magento - A web-based e-commerce application.
• ManageEngine ADSelfService Plus - A password management and single sign-on software offered by ZOHO Corporation.
• Microsoft Edge - A web browser.
• Microsoft Internet Explorer - A web browser.
• Microsoft Server Message Block - A network file sharing protocol that allows a user/application to request files and services over a network.
• Microsoft Teams - A cloud-based collaboration software that integrates chat, document sharing, and online meeting capabilities.
• Mozilla Firefox - A web browser.
• Mozilla Firefox ESR - A version of Mozilla Firefox offering slower feature upgrades and extended security support for enterprise organizations.
• Mozilla Thunderbird - An email client.
• Opera - A web browser.
• PAN-OS - An operating system for Palo Alto Network Appliances.
• Safari - A web browser for macOS.
• SaltStack - An open-source remote task and configuration management framework used in data centers and cloud servers.
• Skype - A videoconferencing platform.
• Slack - A messaging platform.
• SolarWinds N-Centra - A remote monitoring and management automation platform for MSPs and IT professionals.
• TeamViewer - A program used for remote control, desktop sharing, online meeting, web conferences, and file transfer.
• Treck TCP/IP Stack - A TCP/IP software library.
• tvOS - An operating system for Apple TVs.
• vBulletin - Software used to create forums.
• VMare Carbon Black App Control - A product that allows departments to monitor and control application execution on systems.
• VMware Horizon - A virtual desktop platform.
• watchOS - An operating system for Apple Watches.
• Windows OS - An operating system developed by Microsoft.
• WordPress - A web-based publishing application used to create websites.
• WordPress Elementor Pro Plugin - Allows website designers to create web pages using custom themes and widgets.
• XenMobile - Software for mobile device/mobile application management.
• Zoom - A videoconferencing platform.

Agent Tesla

• Type - Remote Access Trojan (RAT)
• Platform Targeted - Windows OS
• Motive - Credential theft
• Infection Vector - Malspam
• Tactics - Exfiltrates credentials, logs keystrokes, and captures screenshots from infected computers.
• Additional Facts - Agent Tesla is sold online as a legal keylogger product for personal use. Agent Tesla continues to evolve to evade detection by hiding parts of the malware in plain sight, and otherwise exploiting weaknesses in detection platforms.

Bit Paymer

• Type - Ransomware
• Platform Targeted - Windows OS
• Motive - Financial
• Infection Vector - Remote Desktop Protocol (RDP) compromise
• Tactics - Once an exposed RDP endpoint has been found, attackers move throughout the network, manually installing Bit Paymer on each system they can access.
• Additional Facts - Ransom demands vary depending on the size of the organization

Blaknight (HawkEye)

• Type - Infostealer
• Motive - Credential Theft
• Infection Vector - Malspam
• Tactics - Can steal keystrokes, license information from apps, and passwords from apps including browsers, file transfer protocol (used to transfer files between computers), and email.

Cerber

• Type - Ransomware
• Platform Targeted - Windows OS
• Motive - Financial
• Infection Vector - This software may be packaged with free online software or disguised as a harmless program; it is distributed by email. It may also be installed by websites using software vulnerabilities.
• Tactics - May prevent Antivirus programs, Microsoft Windows security features, or system restoration from functioning as a way to force victims to pay the ransom.
• Additional Facts - Cerber uses the Ransomware-as-a-Service (RaaS) model. There are currently no free decryptors available.

Clop

• Type - Ransomware
• Motive - Financial
• Infection Vector - Malspam, brute force of Remote Desktop Protocols (RDPs)
• Tactics - Uses digital signatures in an attempt to appear legitimate and bypass security software detection.
• Additional Facts - Clop is a variant of CryptoMix, and shares similar TTPs with Ryuk and BitPaymer.
• Coinminer
• Type - Cryptocurrency miner
• Motive - Financial
• Infection Vector - Malspam, dropped by other malware
• Tactics - Uses Windows Management Instrumentation (WMI) and Eternal Blue to spread across a network.

Cryptowall

• Type - Ransomware
• Platform Targeted - WindowsOS
• Motive - Financial
• Infection Vector - Malspam, Java Vulnerabilities, and Malvertisement
• Tactics - CryptoWall will scan the system for drive letters (different storage areas on a computer), remote access points, and removable drives (thumb drives). CryptoWall runs on both 32-bit and 64-bit systems.
• Additional Facts - Successor to the now-defunct CryptoLocker.

Danabot

• Type - Banking Trojan
• Motive - Credential theft
• Infection Vector - Malspam
• Tactics - Collects information on the infected system, uses web injections, and drops other malware.

Dridex

• Type - Trojan, Keylogger
• Motive - Financial
• Infection Vector - Malspam
• Tactics - Dridex can use DNS cache poisoning or web injection to direct users from legitimate banking sites to fake ones.

Emotet

• Type - Trojan, Infostealer
• Motive - Financial, Credential Theft
• Infection Vector - Malspam
• Tactics - Attempts to spread in a network by brute-forcing user credentials and writing to share drives. Downloads or drops other malware.
• Additional Facts - On October 6, 2020, CISA and the MS-ISAC released a joint alert after observing a significant increase in malicious actors targeting state and local governments with Emotet phishing emails.

Gh0st (Gh0stRAT)

• Type - Remote Access Trojan (RAT)
• Motive - Information theft
• Infection Vector - Malspam
• Tactics - Allows an attacker to take full control of the infected system.

Hancitor (Chanitor)

• Type - Trojan, Downloader
• Platform Targeted - Windows OS
• Motive - Data theft
• Infection Vector - Malspam
• Tactics - Drops additional malware to download Pony DLL and Vawtrak malware executables, which steal data.

Kovter

• Type - Trojan
• Platform Targeted - Windows OS
• Motive - Financial
• Infection Vector - Malspam through macro-enabled Word document attachments in email. Macros are series of commands and instructions grouped as a single command to automate a task.
• Tactics - Kovter is used for click-fraud to generate revenue.
• Additional Facts - Kovter was originally used as ransomware, but has since evolved into a file-less malware, which is used to evade file-based malware detection products.

Mirai

• Type - Botnet
• Platform Targeted - Linux OS
• Motive - Multiple
• Infection Vector - Vulnerability exploitation
• Tactics - Mirai can turn infected devices into part of a botnet that is used to perform Distributed Denial of Service (DDoS) attacks, as well as steal information from infected devices.

NanoCore

• Type - Remote Access Trojan (RAT)
• Motive - Information theft
• Infection Vector - Malspam
• Tactics - Nanocore can be used for keylogging, password theft, viewing webcam footage, screen locking, and the downloading/theft of files.

NanoLocker

• Type - Ransomware
• Platform Targeted - Windows OS
• Motive - Financial
• Infection Vector - Malspam
• Tactics - When the victim clicks on the malicious attachment, the ransomware displays a fake error and begins encrypting files silently in the background.
• Additional Facts - NanoLocker can be decrypted with a public key if caught early enough.

Ngioweb

• Type: - Botnet
• Platform Targeted - Linux, Windows OS
• Motive - Financial
• Infection Vector - Vulnerability exploitation
• Tactics - Known to target web servers running vulnerable versions of WordPress.

Phorpiex

• Type - Worm, Botnet
• Motive - Financial
• Infection Vector - Removable drives (thumb drives), network drives, malspam
• Tactics - Will download and initiate additional malware such as cryptominers or ransomware.
• Additional Facts - There was a surge of Phorpiex infections in late 2020.

Pushdo

• Type - Trojan, Botnet
• Platform Targeted - Windows OS
• Motive - Malware Propagation
• Infection Vector - Malspam
• Tactics - Known to distribute the ZeuS malware.

Qakbot (Q-bot)

• Type - Trojan, Keylogger
• Motive - Financial, credential theft
• Infection Vector - Malspam
• Tactics - Qakbot is capable of stealing credentials through user keystrokes, caching, digital certificates, session authentication data, cookies, and file transfer protocol (FTP).
• Additional Facts - Qakbot is known for its ability to evade detection while spreading all over an infected organization.

Ryuk

• Type - Ransomware
• Motive - Financial
• Infection Vector - Often dropped on a system by other malware (e.g., TrickBot) or delivered by cyber threat actors (CTAs) after compromising a system via Remote Desktop Services.
• Tactics - Ryuk is the most prevalent ransomware variant in the state, local, tribal, and territorial (SLTT) government sectors.
• Additional Facts: See the CIS security primer on Ryuk.

Shlayer

• Type - Downloader and dropper
• Platform Targeted - MacOS
• Motive - Financial
• Infection Vector - Malicious websites, hijacked domains, and malvertizments posing as a fake Adobe Flash updater.
• Tactics - Known to install adware.
• Additional Facts - Schools are more likely to be impacted by this as they have more MacOS machines than other SLTT sectors. All Shlayer domains follow the same pattern .

Snugy

• Type - PowerShell based backdoor Trojan
• Motive - Information theft
• Infection Vector - Malspam
• Tactics - Allows an attacker to obtain the system's hostname to run commands.

SocGholish

• Type - Remote Access Trojan (RAT)/Banking Trojan
• Motive - Financial
• Infection Vector - Malvertisement
• Tactics - Uses fake Flash Updates to drop a RAT.
• Additional Facts - SocGholish has been used to drop WastedLocker ransomware.

• Type - Banking Trojan
• Motive - Financial
• Infection Vector - Malspam
• Tactics - Creates a fake popup requesting login information for a bank after the user accesses the bank’s legitimate website.
• Additional Facts - Tinba is known for its small file size.

Trickbot

• Type - Infostealer
• Motive - Financial
• Infection Vector - Malspam and dropped by Emotet
• Tactics - Alters web traffic to trick a user into revealing credentials or other sensitive information to a bad actor. It has also been known to drop ransomware such as Ryuk
• Additional Facts - According to Microsoft, Trickbot has infected over a million computing devices since 2016.

• Type - Banking Trojan
• Motive - Credential Theft
• Infection Vector - Malspam and dropped by Emotet
• Tactics - Ursnif steals banking and credit card data while using keylogging to acquire passwords.
• Additional Facts - Ursnif can detect malware analysis tools and check for virtualization, which makes it difficult to detect.

ZeuS

• Type - Trojan, Keylogger
• Motive - Financial, Credential theft
• Infection Vector - Spam, Drive-by downloads, dropped
• Tactics - First creates a botnet and then steals banking credentials through website monitoring and keylogging.
• Additional Facts - ZeuS is credited for introducing the modular design concept to malware, which allows malicious actors to purchase only the functionality they require. ZeuS source code was released to the public in 2011, which led to several variants being built upon different ZeuS components.