Hybrid Malware: What It Is, and What Are the Common Techniques

In this section, we’re going to talk about hybrid attacks. And this is going to be a pretty short section. I think we’ve already covered a lot of it, and it’ll become obvious as we get into the next slide. So what’s hybrid malware? Hybrid malware is just any malware that combines several malware families together to perform complex attack. And it’s typically going to feature a Trojan to act as a dropper, a worm to help propagate, and a payload such as a virus or ransomware, what the end goal is, whether it’s to exfiltrate data or just to get a hook in to do some sort of spyware activity.

And basically everything we’ve talked about so far has been a hybrid attack when you think about it. We mentioned Stuxnet and that’s a worm that’s going to do its propagation, it’s a virus that’s going to speed up the centrifuges to cause them to fail faster. Or when we talked about NotEternalBlue, when we talk about NotPetya. NotPetya had a worm component to it that’d help it replicate itself across the network. But then it was also a piece of ransomware, that was that payload. And then a lot of things that we’ve talked about have used a Trojan as the dropper, which is where we reference the phishing attack a lot, using an Office document with a malicious macro in it.

We saw that previously. And then that macro will maybe do something like execute PowerShell. So now we’re talking about a Trojan that gets in the foulest malware. And then that PowerShell maybe is going to download another file that is going to do ransomware, but the PowerShell is also going to spread throughout the network. So most things nowadays are hybrid attacks. I think that the world of malware has gotten to a point where it’s not so easy to say, “Oh, this is just ransomware”. And it has no traits of anything else. I think almost everything we see has at least more than one kind of class combined to it.

And the way that we categorize it is by which is its most dominant class. The reason that we talk about NotPetya as ransomware or Petya as ransomware is because that was the major impact from it, is that it encrypted systems. Now if the major impact of something was just that it was an incredibly fast spreading piece of malware, even if it didn’t really do much, then we call it more like a worm. Maybe that’s how we would classify that. So I think that the takeaway here is just that a lot of malware these days, if not all of it, is hybrid malware.

And it’s going to be using all of the techniques that we talked about so far, at least a lot of them. It’s going to be using your Trojans to get on to the system. It’s going to be using worms to help itself propagate. And then it’s got payload, and that payload’s going to be defined as like a virus or ransomware, adware, or spyware– something else that we’ve talked about. Yeah, and that’s it. So the next video is just going to be a quick course conclusion.