- WannaCry is a ransomware cryptoworm that uses the EternalBlue exploit to spread via SMB. Version 1.0 has a “killswitch” domain, which stops the encryption process.
- Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In October 2018, Emotet updated its Outlook scraper module to exfiltrate email content.
- ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
- Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
- CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
- Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
- NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
- Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device.
- Smoke Loader is distributed via malicious spam campaigns and is used to download additional pieces of malware post initial infection. After deployment Smoke Loader deletes the original executable in order to avoid detection. Additionally, the malware evades detection through the changing of its executable timestamp to avoid surfacing within recently modified files.
- Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms.
