Malicious code is any software or programming script that exploits software or network vulnerabilities and compromises data integrity.
Wiz Experts Team
7 minutes read
What is malicious code?
Malicious code is any software or programming script that exploits software or network vulnerabilities and compromises data integrity. Threat actors use malicious code to steal sensitive data, corrupt files, disrupt regular operations, or hijack entire operation chains.
Arguably the leading cyberattack technique, malicious code is not easy to detect. That’s because malicious code can make its way into your systems in two ways: It may be injected or accidentally installed through any medium that transmits data—think tunnels, device ports, and social communication channels. And both first-party apps and third-party software are vulnerable to malicious code injections. When installed, malicious code attacks spread their malware to all connected endpoints via the APIs.
But injection is only the first step of the process: It’s not the end goal. Injection creates backdoors that serve as access points for cybercriminals to realize their true aims, such as stealing sensitive information, modifying and hijacking PII for ransom, or disrupting major business functions for financial gains.
Malicious code comes in various forms, each with its own characteristics and objectives. Let’s look at some prominent examples:
Malicious code types
Description
Viruses
A virus is a kind of malicious code that infects a host file or program and self-replicates when the infected file is launched. A typical virus has a replicator and a payload. Examples include the Melissa virus.
Worms
Worms function like viruses, but they don’t require file launch to spread across a network. Examples of worms include the Morris and Conficker worms.
Trojans
Trojan horses appear to be legitimate software but contain malicious code. They trick users into executing their files, and once installed, they spread rapidly. Examples include the Zeus trojan, the CryptoLocker attack, and Backoff point-of-sale malware.
Ransomware
Ransomware is used to encrypt files on a victim's computer in an attempt to force the victim to pay a ransom in exchange for the decryption key. Examples include Locky and WannaCry.
Spyware
Spyware secretly gathers information from a computer without the user’s consent and sends the data it collects to third parties. Spyware tracks online activities and browsing habits, collects personal information, or captures keystrokes.
Adware
Adware displays unwanted advertisements on affected systems. Examples include BonziBuddy and Superfish.
Botnets
Botnets are an assemblage of compromised computers controlled by a central attacker. They can be used to launch DDoS attacks or distribute spam. Examples include Zeus, Mirai, and Srizbi.
Keyloggers
Keyloggers record and transmit users’ keystrokes, allowing attackers to obtain sensitive information, such as passwords and credit card numbers. Examples of keyloggers are SpyEye and DarkComet.
Rootkits
Rootkits hide malicious activity and provide unauthorized access to compromised systems. They often modify their host OS to evade detection. Examples include Alureon, Stuxnet, and Sony BMG rootkit.
Common methods of malicious code delivery
Let’s take a deeper dive into how threat actors deliver malicious code. Here are seven techniques to look out for:
Email attachments: Attackers can attach malicious files to emails disguised as legitimate documents. To make the emails appear genuine, attackers craft enticing subject lines or impersonate trusted senders. When users download and open these attachments, the malicious code self-launches, infecting their systems. The attachments can be in various formats, including executable files (.exe), Microsoft Office documents (.doc, .xls), PDFs, or compressed files (.zip).
Email links: Cybercriminals send phishing emails to their target(s). The emails contain links that trigger an auto-download of malware when clicked. The links appear harmless or legitimate because the phishing URL is masked by a reputable domain name. Malicious websites host exploit kits that identify vulnerabilities in a user’s web browsers, plugins, or OS. If a vulnerability is found, the exploit kit takes advantage of it to deliver and execute the malicious code in the user’s systems.
Social engineering: With social engineering, attackers bait their targets into trusting them enough to willingly perform insecure self-directed actions. Social engineering tactics exploit users' curiosity, fear, feelings of urgency, or desire for rewards. For example, attackers might masquerade as a reputable organization known to the target, sending emails or messages that trick users into believing they need to click on a link or download a file for a legitimate reason.
App stores: As repositories of legitimate mobile applications, billions of people trust app stores. Attackers take advantage of this trust by uploading malicious applications, which are usually fake or counterfeit versions of recognizable apps. Once a user downloads and installs such an app, the disguised code provides the hacker with a back door to execute their attack. Although app stores are proactive in their preventative methods, attackers are constantly evolving.
Supply chain attacks:Supply chain attacks compromise the security of software or hardware supply chains. Attackers can inject malicious code into distribution channels and access systems as they wish. Supply chain attacks are particularly challenging to detect because the malicious code is from trusted sources and evades security measures. A recent case study is the malicious torchtriton dependency injected into the PyTorch app repository.
Zero-day exploits: Zero-day exploits target software apps without patches. Cybercriminals see an opportunity and strike in the window of time before a fix is developed.
Watering hole attacks: Watering hole attacks are when threat actors compromise online platforms that are frequently visited by a target individual or organization. The attackers inject malicious code into these legitimate sites to infect the target’s network when they browse those compromised pages. Cybercriminals may also create malicious browser extensions or plugins.
Malicious code can have serious implications for both individuals and organizations:
Theft of sensitive information: The typical goal of injecting malicious code is to steal useful, very personal information (such as credit card numbers, social security numbers, and financial and health records). This stolen information is then used for various fraudulent activities, such as identity theft.
Compromised security controls: Malicious code may disable or modify security controls and settings like antivirus software, firewalls, and intruder detection systems, making it easier for attackers to carry out further malicious activities on compromised systems.
Unusual activities and system disruptions: Malicious code can cause various disruptions to computer systems, networks, and services, rendering them inaccessible to legitimate users. Malicious code may slow down system performance, crash apps, wipe or modify data, make unexpected messages pop up, or even completely disable/take control of the affected systems.
Financial loss: Recovering from a malicious code attack can be expensive, especially for large organizations. Hefty ransoms (in ransomware attacks) or the cost of restoring normalcy to company systems can be two major expenses. A malicious code attack may also require you to invest in forensic investigations, system repairs, data restoration, and improved security. Additionally, there can be regulatory or governmental fines associated with these attacks, particularly when data breaches occur.
Reputational damage: If an organization falls victim to a security breach caused by malicious code, it can lead to significant reputational damage. Customer trust in the organization's data integrity falls, which may trigger a mass transition to a competitor.
Preventing and detecting malicious code in the cloud
Protecting cloud environments from malicious code requires a comprehensive approach that encompasses various security measures and best practices. Here's a breakdown of effective strategies to safeguard your cloud infrastructure from malicious code:
1. Use a modern CSPM tool
Cloud Security Posture Management (CSPM) is a continuous security monitoring process that helps organizations identify and remediate security misconfigurations and vulnerabilities in their cloud environments. CSPM tools provide visibility into cloud infrastructure, configurations, and resources, enabling organizations to proactively address potential security risks before they can be exploited by attackers.
2. Enforce least privilege access
The principle of least privilege dictates that users should only be granted access to the resources and data they need to perform their job duties. This minimizes the potential damage if an account is compromised, as the attacker's access would be limited. By granting only the necessary privileges, organizations can reduce the attack surface and make it more difficult for attackers to gain unauthorized access to sensitive data or systems.
3. Leverage network segmentation
Network segmentation involves dividing a cloud environment into smaller, isolated segments to restrict the spread of malware and limit unauthorized access. This approach creates barriers between different network segments, making it more difficult for malware to propagate throughout the entire network. Segmentation can also help to isolate compromised systems, preventing them from affecting other parts of the network.
4. Deploy intrusion detection and prevention systems (IDS/IPS)
Intrusion detection systems (IDS) continuously monitor network traffic for suspicious activity, while intrusion prevention systems (IPS) actively block malicious traffic. IDS systems analyze network traffic patterns to identify potential threats, such as suspicious login attempts or malware downloads. IPS systems take a more proactive approach by intercepting and blocking malicious traffic before it can reach its intended target.
5. Regularly update software and systems
Patching vulnerabilities promptly is crucial to prevent attackers from exploiting known weaknesses. Software and system updates often include security patches that address vulnerabilities that could be exploited by attackers. Regularly updating software and systems helps to close these gaps and minimize the risk of cyberattacks.
Secure coding practices involve developing software with security in mind from the start. This includes avoiding common programming mistakes that can introduce vulnerabilities, such as input validation errors, SQL injection vulnerabilities, and cross-site scripting (XSS) flaws. By incorporating secure coding practices into the software development lifecycle, organizations can reduce the risk of malicious code being introduced into their cloud environments.
Here are two real-life examples that emphasize the need for the security measures we’ve discussed:
Norton Healthcare attack
On May 9, 2023, a hacker group called BlackCat attacked the website and app of US-based Norton Healthcare with ransomware. The group stole files containing sensitive personal identifiable information (PII) and protected health information (PHI) and then proceeded to leak some of the files on its webpage, resulting in an FBI investigation and a lawsuit against Norton. This is a typical example of the damage that malicious code injection can cause.
SAS Airlines attack
On May 24, 2023, a group of cyberattackers identified as Anonymous Sudan compromised the app and website of Scandinavian Airlines (SAS). SAS’s app and website went off-grid for over 22 hours. Furthermore, the hacker group accessed and published sensitive customer data, demanding $3,500 at first and later increasing their demand to $175,000.
While it remains unclear if either Norton Healthcare or SAS paid these ransoms, the attacks cost several operational hours, customer trust, huge business losses, and the organization’s reputation. And if SAS had adopted the techniques discussed above and leveraged a unified security platform, then the attacks could have been prevented in the first place.
Although the security measures provided above go a long way toward securing your systems against malicious code, implementing each best practice independently is cumbersome and time-consuming.
Wiz offers multiple cloud security solutions in a single framework, providing a streamlined approach to full visibility into every layer of your software stack. Wiz’s in-depth security scans cover all system components and expose hidden vulnerabilities for proactive patching. Get a demo today to see how Wiz can keep your environments and networks safe from vulnerabilities.
Don't let malicious code compromise your cloud
Learn why CISOs at the fastest growing companies trust Wiz to protect their cloud environments.
Cloud infrastructure security describes the strategies, policies, and measures that organizations implement to protect cloud-based systems, data, and infrastructure from threats and vulnerabilities.
SecDevOps is essentially DevOps with an emphasis on moving security further left. DevOps involves both the development team and the operations team in one process to improve deployment performance and service customers faster.
Open-source software (OSS) incident response (IR) tools are publicly available tools enterprises use to effectively manage and respond to numerous security threats.
Cross-site request forgery (CSRF), also known as XSRF or session riding, is an attack approach where threat actors trick trusted users of an application into performing unintended actions.
Data sprawl refers to the dramatic proliferation of enterprise data across IT environments, which can lead to management challenges and security risks.
Cloud identity security is the practice of safeguarding digital identities and the sensitive cloud infrastructure and data they gatekeep from unauthorized access and misuse.