What is malicious code?
Malicious code is any software or programming script that exploits software or network vulnerabilities and compromises data integrity. Threat actors use malicious code to steal sensitive data, corrupt files, disrupt regular operations, or hijack entire operation chains.
Arguably the leading cyberattack technique, malicious code is not easy to detect. That’s because malicious code can make its way into your systems in two ways: It may be injected or accidentally installed through any medium that transmits data—think tunnels, device ports, and social communication channels. And both first-party apps and third-party software are vulnerable to malicious code injections. When installed, malicious code attacks spread their malware to all connected endpoints via the APIs.
But injection is only the first step of the process: It’s not the end goal. Injection creates backdoors that serve as access points for cybercriminals to realize their true aims, such as stealing sensitive information, modifying and hijacking PII for ransom, or disrupting major business functions for financial gains.
The 2023 Cloud Vulnerability Report
The need for vulnerability management in the cloud creates new challenges and opportunities. In this report, the Wiz Security Research team discusses how vulnerability management in the cloud requires an understanding of both Application Security (AppSec) and Cloud Security (CloudSec).
Download now
Types and examples of malicious code
Malicious code comes in various forms, each with its own characteristics and objectives. Let’s look at some prominent examples:
| Malicious code types | Description |
|---|---|
| Viruses | A virus is a kind of malicious code that infects a host file or program and self-replicates when the infected file is launched. A typical virus has a replicator and a payload. Examples include the Melissa virus. |
| Worms | Worms function like viruses, but they don’t require file launch to spread across a network. Examples of worms include the Morris and Conficker worms. |
| Trojans | Trojan horses appear to be legitimate software but contain malicious code. They trick users into executing their files, and once installed, they spread rapidly. Examples include the Zeus trojan, the CryptoLocker attack, and Backoff point-of-sale malware. |
| Ransomware | Ransomware is used to encrypt files on a victim's computer in an attempt to force the victim to pay a ransom in exchange for the decryption key. Examples include Locky and WannaCry. |
| Spyware | Spyware secretly gathers information from a computer without the user’s consent and sends the data it collects to third parties. Spyware tracks online activities and browsing habits, collects personal information, or captures keystrokes. |
| Adware | Adware displays unwanted advertisements on affected systems. Examples include BonziBuddy and Superfish. |
| Botnets | Botnets are an assemblage of compromised computers controlled by a central attacker. They can be used to launch DDoS attacks or distribute spam. Examples include Zeus, Mirai, and Srizbi. |
| Keyloggers | Keyloggers record and transmit users’ keystrokes, allowing attackers to obtain sensitive information, such as passwords and credit card numbers. Examples of keyloggers are SpyEye and DarkComet. |
| Rootkits | Rootkits hide malicious activity and provide unauthorized access to compromised systems. They often modify their host OS to evade detection. Examples include Alureon, Stuxnet, and Sony BMG rootkit. |
Common methods of malicious code delivery
Let’s take a deeper dive into how threat actors deliver malicious code. Here are seven techniques to look out for:
Email attachments: Attackers can attach malicious files to emails disguised as legitimate documents. To make the emails appear genuine, attackers craft enticing subject lines or impersonate trusted senders. When users download and open these attachments, the malicious code self-launches, infecting their systems. The attachments can be in various formats, including executable files (.exe), Microsoft Office documents (.doc, .xls), PDFs, or compressed files (.zip).
Email links: Cybercriminals send phishing emails to their target(s). The emails contain links that trigger an auto-download of malware when clicked. The links appear harmless or legitimate because the phishing URL is masked by a reputable domain name. Malicious websites host exploit kits that identify vulnerabilities in a user’s web browsers, plugins, or OS. If a vulnerability is found, the exploit kit takes advantage of it to deliver and execute the malicious code in the user’s systems.
Social engineering: With social engineering, attackers bait their targets into trusting them enough to willingly perform insecure self-directed actions. Social engineering tactics exploit users' curiosity, fear, feelings of urgency, or desire for rewards. For example, attackers might masquerade as a reputable organization known to the target, sending emails or messages that trick users into believing they need to click on a link or download a file for a legitimate reason.
App stores: As repositories of legitimate mobile applications, billions of people trust app stores. Attackers take advantage of this trust by uploading malicious applications, which are usually fake or counterfeit versions of recognizable apps. Once a user downloads and installs such an app, the disguised code provides the hacker with a back door to execute their attack. Although app stores are proactive in their preventative methods, attackers are constantly evolving.
Supply chain attacks: Supply chain attacks compromise the security of software or hardware supply chains. Attackers can inject malicious code into distribution channels and access systems as they wish. Supply chain attacks are particularly challenging to detect because the malicious code is from trusted sources and evades security measures. A recent case study is the malicious torchtriton dependency injected into the PyTorch app repository.
Zero-day exploits: Zero-day exploits target software apps without patches. Cybercriminals see an opportunity and strike in the window of time before a fix is developed.
Watering hole attacks: Watering hole attacks are when threat actors compromise online platforms that are frequently visited by a target individual or organization. The attackers inject malicious code into these legitimate sites to infect the target’s network when they browse those compromised pages. Cybercriminals may also create malicious browser extensions or plugins.
Shift Left: Build Security into Development to Reduce Risk
As organizations utilize cloud-native software development for faster product releases and innovation cycles, they need a modernized approach that operationalizes security into development processes. To effectively manage security and risk, they need complete visibility across cloud environments—without any blind spots—to keep up with the volume of releases and workloads.
Learn more
Effects and consequences of malicious code
Malicious code can have serious implications for both individuals and organizations:
Theft of sensitive information: The typical goal of injecting malicious code is to steal useful, very personal information (such as credit card numbers, social security numbers, and financial and health records). This stolen information is then used for various fraudulent activities, such as identity theft.
Compromised security controls: Malicious code may disable or modify security controls and settings like antivirus software, firewalls, and intruder detection systems, making it easier for attackers to carry out further malicious activities on compromised systems.
Unusual activities and system disruptions: Malicious code can cause various disruptions to computer systems, networks, and services, rendering them inaccessible to legitimate users. Malicious code may slow down system performance, crash apps, wipe or modify data, make unexpected messages pop up, or even completely disable/take control of the affected systems.
Financial loss: Recovering from a malicious code attack can be expensive, especially for large organizations. Hefty ransoms (in ransomware attacks) or the cost of restoring normalcy to company systems can be two major expenses. A malicious code attack may also require you to invest in forensic investigations, system repairs, data restoration, and improved security. Additionally, there can be regulatory or governmental fines associated with these attacks, particularly when data breaches occur.
Reputational damage: If an organization falls victim to a security breach caused by malicious code, it can lead to significant reputational damage. Customer trust in the organization's data integrity falls, which may trigger a mass transition to a competitor.
Security Leaders Handbook: The Strategic Guide to Cloud Security
Learn the new cloud security operating model and steps towards cloud security maturity. This practical guide helps transform security teams and processes to remove risks and support secure cloud development.
Download Handbook
Preventing and detecting malicious code in the cloud
Protecting cloud environments from malicious code requires a comprehensive approach that encompasses various security measures and best practices. Here's a breakdown of effective strategies to safeguard your cloud infrastructure from malicious code:
1. Use a modern CSPM tool
Cloud Security Posture Management (CSPM) is a continuous security monitoring process that helps organizations identify and remediate security misconfigurations and vulnerabilities in their cloud environments. CSPM tools provide visibility into cloud infrastructure, configurations, and resources, enabling organizations to proactively address potential security risks before they can be exploited by attackers.
2. Enforce least privilege access
The principle of least privilege dictates that users should only be granted access to the resources and data they need to perform their job duties. This minimizes the potential damage if an account is compromised, as the attacker's access would be limited. By granting only the necessary privileges, organizations can reduce the attack surface and make it more difficult for attackers to gain unauthorized access to sensitive data or systems.
3. Leverage network segmentation
Network segmentation involves dividing a cloud environment into smaller, isolated segments to restrict the spread of malware and limit unauthorized access. This approach creates barriers between different network segments, making it more difficult for malware to propagate throughout the entire network. Segmentation can also help to isolate compromised systems, preventing them from affecting other parts of the network.
4. Deploy intrusion detection and prevention systems (IDS/IPS)
Intrusion detection systems (IDS) continuously monitor network traffic for suspicious activity, while intrusion prevention systems (IPS) actively block malicious traffic. IDS systems analyze network traffic patterns to identify potential threats, such as suspicious login attempts or malware downloads. IPS systems take a more proactive approach by intercepting and blocking malicious traffic before it can reach its intended target.
5. Regularly update software and systems
Patching vulnerabilities promptly is crucial to prevent attackers from exploiting known weaknesses. Software and system updates often include security patches that address vulnerabilities that could be exploited by attackers. Regularly updating software and systems helps to close these gaps and minimize the risk of cyberattacks.
CI/CD Pipeline Security Best Practices
Continuous integration and continuous delivery (CI/CD) have become the backbone of modern software development, enabling rapid, reliable, and consistent delivery of software products. To bolster your CI/CD pipeline, ensuring resilience against ever-evolving threats, follow the best practices in this guide.
Read more
6. Implement secure coding practices
Secure coding practices involve developing software with security in mind from the start. This includes avoiding common programming mistakes that can introduce vulnerabilities, such as input validation errors, SQL injection vulnerabilities, and cross-site scripting (XSS) flaws. By incorporating secure coding practices into the software development lifecycle, organizations can reduce the risk of malicious code being introduced into their cloud environments.
Extend Wiz to your Developers: Enable secure cloud development with agility
New capabilities extend Wiz CNAPP to secure the entire software pipeline, enabling organizations to securely develop for the cloud.
Read moreReal-life malicious code attack examples
Here are two real-life examples that emphasize the need for the security measures we’ve discussed:
Norton Healthcare attack
On May 9, 2023, a hacker group called BlackCat attacked the website and app of US-based Norton Healthcare with ransomware. The group stole files containing sensitive personal identifiable information (PII) and protected health information (PHI) and then proceeded to leak some of the files on its webpage, resulting in an FBI investigation and a lawsuit against Norton. This is a typical example of the damage that malicious code injection can cause.
SAS Airlines attack
On May 24, 2023, a group of cyberattackers identified as Anonymous Sudan compromised the app and website of Scandinavian Airlines (SAS). SAS’s app and website went off-grid for over 22 hours. Furthermore, the hacker group accessed and published sensitive customer data, demanding $3,500 at first and later increasing their demand to $175,000.
While it remains unclear if either Norton Healthcare or SAS paid these ransoms, the attacks cost several operational hours, customer trust, huge business losses, and the organization’s reputation. And if SAS had adopted the techniques discussed above and leveraged a unified security platform, then the attacks could have been prevented in the first place.
Malicious PyTorch dependency 'torchtriton' on PyPI: everything you need to know
The developers of PyTorch (a popular machine-learning framework) recently identified a malicious dependency confusion attack on the open-source project. Security teams are advised to check for infected resources and rotate any exposed keys.
Read more
Wiz: A unified cloud native security platform
Although the security measures provided above go a long way toward securing your systems against malicious code, implementing each best practice independently is cumbersome and time-consuming.
Wiz offers multiple cloud security solutions in a single framework, providing a streamlined approach to full visibility into every layer of your software stack. Wiz’s in-depth security scans cover all system components and expose hidden vulnerabilities for proactive patching. Get a demo today to see how Wiz can keep your environments and networks safe from vulnerabilities.
Learn why CISOs at the fastest growing companies trust Wiz to protect their cloud environments.
