Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

Malicious Code Explained

Malicious code is any software or programming script that exploits software or network vulnerabilities and compromises data integrity.

Wiz Experts Team
7 aANyg+

What is malicious code?

Malicious code is any software or programming script that exploits software or network vulnerabilities and compromises data integrity. Threat actors use malicious code to steal sensitive data, corrupt files, disrupt regular operations, or hijack entire operation chains.

Arguably the leading cyberattack technique, malicious code is not easy to detect. That’s because malicious code can make its way into your systems in two ways: It may be injected or accidentally installed through any medium that transmits data—think tunnels, device ports, and social communication channels. And both first-party apps and third-party software are vulnerable to malicious code injections. When installed, malicious code attacks spread their malware to all connected endpoints via the APIs. 

But injection is only the first step of the process: It’s not the end goal. Injection creates backdoors that serve as access points for cybercriminals to realize their true aims, such as stealing sensitive information, modifying and hijacking PII for ransom, or disrupting major business functions for financial gains. 

Types and examples of malicious code

Malicious code comes in various forms, each with its own characteristics and objectives. Let’s look at some prominent examples:

Malicious code typesDescription
VirusesA virus is a kind of malicious code that infects a host file or program and self-replicates when the infected file is launched. A typical virus has a replicator and a payload. Examples include the Melissa virus.
WormsWorms function like viruses, but they don’t require file launch to spread across a network. Examples of worms include the Morris and Conficker worms.
TrojansTrojan horses appear to be legitimate software but contain malicious code. They trick users into executing their files, and once installed, they spread rapidly. Examples include the Zeus trojan, the CryptoLocker attack, and Backoff point-of-sale malware.
RansomwareRansomware is used to encrypt files on a victim's computer in an attempt to force the victim to pay a ransom in exchange for the decryption key. Examples include Locky and WannaCry.
SpywareSpyware secretly gathers information from a computer without the user’s consent and sends the data it collects to third parties. Spyware tracks online activities and browsing habits, collects personal information, or captures keystrokes.
AdwareAdware displays unwanted advertisements on affected systems. Examples include BonziBuddy and Superfish.
BotnetsBotnets are an assemblage of compromised computers controlled by a central attacker. They can be used to launch DDoS attacks or distribute spam. Examples include Zeus, Mirai, and Srizbi.
KeyloggersKeyloggers record and transmit users’ keystrokes, allowing attackers to obtain sensitive information, such as passwords and credit card numbers. Examples of keyloggers are SpyEye and DarkComet.
RootkitsRootkits hide malicious activity and provide unauthorized access to compromised systems. They often modify their host OS to evade detection. Examples include Alureon, Stuxnet, and Sony BMG rootkit.

Common methods of malicious code delivery

Let’s take a deeper dive into how threat actors deliver malicious code. Here are seven techniques to look out for: 

  • Email attachments: Attackers can attach malicious files to emails disguised as legitimate documents. To make the emails appear genuine, attackers craft enticing subject lines or impersonate trusted senders. When users download and open these attachments, the malicious code self-launches, infecting their systems. The attachments can be in various formats, including executable files (.exe), Microsoft Office documents (.doc, .xls), PDFs, or compressed files (.zip).

  • Email links: Cybercriminals send phishing emails to their target(s). The emails contain links that trigger an auto-download of malware when clicked. The links appear harmless or legitimate because the phishing URL is masked by a reputable domain name. Malicious websites host exploit kits that identify vulnerabilities in a user’s web browsers, plugins, or OS. If a vulnerability is found, the exploit kit takes advantage of it to deliver and execute the malicious code in the user’s systems. 

  • Social engineering: With social engineering, attackers bait their targets into trusting them enough to willingly perform insecure self-directed actions. Social engineering tactics exploit users' curiosity, fear, feelings of urgency, or desire for rewards. For example, attackers might masquerade as a reputable organization known to the target, sending emails or messages that trick users into believing they need to click on a link or download a file for a legitimate reason. 

  • App stores: As repositories of legitimate mobile applications, billions of people trust app stores. Attackers take advantage of this trust by uploading malicious applications, which are usually fake or counterfeit versions of recognizable apps. Once a user downloads and installs such an app, the disguised code provides the hacker with a back door to execute their attack. Although app stores are proactive in their preventative methods, attackers are constantly evolving.

  • Supply chain attacks: Supply chain attacks compromise the security of software or hardware supply chains. Attackers can inject malicious code into distribution channels and access systems as they wish. Supply chain attacks are particularly challenging to detect because the malicious code is from trusted sources and evades security measures. A recent case study is the malicious torchtriton dependency injected into the PyTorch app repository.

  • Zero-day exploits: Zero-day exploits target software apps without patches. Cybercriminals see an opportunity and strike in the window of time before a fix is developed.

  • Watering hole attacks: Watering hole attacks are when threat actors compromise online platforms that are frequently visited by a target individual or organization. The attackers inject malicious code into these legitimate sites to infect the target’s network when they browse those compromised pages. Cybercriminals may also create malicious browser extensions or plugins.

Effects and consequences of malicious code

Malicious code can have serious implications for both individuals and organizations:

  • Theft of sensitive information: The typical goal of injecting malicious code is to steal useful, very personal information (such as credit card numbers, social security numbers, and financial and health records). This stolen information is then used for various fraudulent activities, such as identity theft.

  • Compromised security controls: Malicious code may disable or modify security controls and settings like antivirus software, firewalls, and intruder detection systems, making it easier for attackers to carry out further malicious activities on compromised systems. 

  • Unusual activities and system disruptions: Malicious code can cause various disruptions to computer systems, networks, and services, rendering them inaccessible to legitimate users. Malicious code may slow down system performance, crash apps, wipe or modify data, make unexpected messages pop up, or even completely disable/take control of the affected systems. 

  • Financial loss: Recovering from a malicious code attack can be expensive, especially for large organizations. Hefty ransoms (in ransomware attacks) or the cost of restoring normalcy to company systems can be two major expenses. A malicious code attack may also require you to invest in forensic investigations, system repairs, data restoration, and improved security. Additionally, there can be regulatory or governmental fines associated with these attacks, particularly when data breaches occur.

  • Reputational damage: If an organization falls victim to a security breach caused by malicious code, it can lead to significant reputational damage. Customer trust in the organization's data integrity falls, which may trigger a mass transition to a competitor.

Preventing and detecting malicious code in the cloud

Protecting cloud environments from malicious code requires a comprehensive approach that encompasses various security measures and best practices. Here's a breakdown of effective strategies to safeguard your cloud infrastructure from malicious code:

1. Use a modern CSPM tool

Cloud Security Posture Management (CSPM) is a continuous security monitoring process that helps organizations identify and remediate security misconfigurations and vulnerabilities in their cloud environments. CSPM tools provide visibility into cloud infrastructure, configurations, and resources, enabling organizations to proactively address potential security risks before they can be exploited by attackers.

2. Enforce least privilege access

The principle of least privilege dictates that users should only be granted access to the resources and data they need to perform their job duties. This minimizes the potential damage if an account is compromised, as the attacker's access would be limited. By granting only the necessary privileges, organizations can reduce the attack surface and make it more difficult for attackers to gain unauthorized access to sensitive data or systems.

3. Leverage network segmentation

Network segmentation involves dividing a cloud environment into smaller, isolated segments to restrict the spread of malware and limit unauthorized access. This approach creates barriers between different network segments, making it more difficult for malware to propagate throughout the entire network. Segmentation can also help to isolate compromised systems, preventing them from affecting other parts of the network.

4. Deploy intrusion detection and prevention systems (IDS/IPS)

Intrusion detection systems (IDS) continuously monitor network traffic for suspicious activity, while intrusion prevention systems (IPS) actively block malicious traffic. IDS systems analyze network traffic patterns to identify potential threats, such as suspicious login attempts or malware downloads. IPS systems take a more proactive approach by intercepting and blocking malicious traffic before it can reach its intended target.

5. Regularly update software and systems

Patching vulnerabilities promptly is crucial to prevent attackers from exploiting known weaknesses. Software and system updates often include security patches that address vulnerabilities that could be exploited by attackers. Regularly updating software and systems helps to close these gaps and minimize the risk of cyberattacks.

6. Implement secure coding practices

Secure coding practices involve developing software with security in mind from the start. This includes avoiding common programming mistakes that can introduce vulnerabilities, such as input validation errors, SQL injection vulnerabilities, and cross-site scripting (XSS) flaws. By incorporating secure coding practices into the software development lifecycle, organizations can reduce the risk of malicious code being introduced into their cloud environments.

Real-life malicious code attack examples

Here are two real-life examples that emphasize the need for the security measures we’ve discussed:

Norton Healthcare attack

On May 9, 2023, a hacker group called BlackCat attacked the website and app of US-based Norton Healthcare with ransomware. The group stole files containing sensitive personal identifiable information (PII) and protected health information (PHI) and then proceeded to leak some of the files on its webpage, resulting in an FBI investigation and a lawsuit against Norton. This is a typical example of the damage that malicious code injection can cause. 

SAS Airlines attack

On May 24, 2023, a group of cyberattackers identified as Anonymous Sudan compromised the app and website of Scandinavian Airlines (SAS). SAS’s app and website went off-grid for over 22 hours. Furthermore, the hacker group accessed and published sensitive customer data, demanding $3,500 at first and later increasing their demand to $175,000.

While it remains unclear if either Norton Healthcare or SAS paid these ransoms, the attacks cost several operational hours, customer trust, huge business losses, and the organization’s reputation. And if SAS had adopted the techniques discussed above and leveraged a unified security platform, then the attacks could have been prevented in the first place.

Wiz: A unified cloud native security platform

Although the security measures provided above go a long way toward securing your systems against malicious code, implementing each best practice independently is cumbersome and time-consuming.

Wiz offers multiple cloud security solutions in a single framework, providing a streamlined approach to full visibility into every layer of your software stack. Wiz’s in-depth security scans cover all system components and expose hidden vulnerabilities for proactive patching. Get a demo today to see how Wiz can keep your environments and networks safe from vulnerabilities.

Don't let malicious code compromise your cloud

Learn why CISOs at the fastest growing companies trust Wiz to protect their cloud environments.

Get a demo

Continue reading

Cloud Investigation and Response Automation (CIRA)

Cloud investigation and response automation (CIRA) harnesses the power of advanced analytics, artificial intelligence (AI), and automation to provide organizations with real-time insights into potential security incidents within their cloud environments

What is Security by Design?

Wiz Experts Team

Security by design is a software development approach that aims to establish security as a pillar, not an afterthought, i.e., integrating security controls into software products right from the design phase.

Guide to Standard SBOM Formats

Wiz Experts Team

Two major formats dominate the SBOM ecosystem: Software Package Data Exchange (SPDX) and CycloneDX (CDX). Let’s review!