Threat Type Definitions

Advanced Persistent Threat (APT)—A set of stealthy and continuous computer hacking processes, often orchestrated by cyber criminals targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives.
Examples: turla, vpnfilter, aggah, carbanak, seaturtle

Adware—Any software package that automatically renders advertisements in order to generate revenue for the author. The advertisements may be in the user interface of the software or presented in the web browser. Adware may cause tabs to open automatically that display advertising, make changes to the home page settings in your web browser, offer ad-supported links from search engines, or initiate redirects to advertising websites.
Examples: revizer, chinad

Backdoor—A type of trojan that enables threat actors to gain remote access and control over a system.
Examples: pterodo, servhelper, godlua

Botnet—A number of Internet-connected systems infected with malware that communicate and coordinate their actions received from command and control (C&C) servers. The infected systems are referred to as bots. The most typical uses of botnets are distributed denial-of-service (DDoS) attacks on selected targets and the propagation of spam.
Examples: brobot, xbash,robotobotnet, darknexus, goldbrute

Browser Hijacker—Any malicious code that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser or redirect to fraudulent or malicious sites. It may replace the existing home page, error page, or search page with its own. It can also redirect web requests to unwanted destinations.
Examples: eitest, darkleech

Bulletproof Hosting—A service provided by some domain hosting or web hosting firms that allow their customer considerable leniency in the kinds of material they may upload and distribute. This type of hosting is often used for spamming, phishing, and other illegal cyber activities.

Cryptojacking—The covert use of a system's computer resources to mine cryptocurrency. Cryptojacking is initiated by malware or through web crypto miners embedded in website code.
Examples: massminer, webcobra, heavensgate, webcryptominer, graboid

Cryptomining— Malware that accesses cryptomining pools where miners group together and share resources—processing power—to better gather and share cryptocurrencies, and from known web cryptomining source code repositories.

DNS-Tunneling—Sends HTTP and other protocol traffic over DNS. There are various, legitimate reasons to utilize DNS tunneling. However, there are also malicious uses. Threat actors can use manipulated DNS requests to exfiltrate data from a compromised system to the attacker’s infrastructure. And in some cases, DNS responses are manipulated for C2 callbacks from the attacker’s infrastructure to a compromised system. IT Policy avoidance and guest WiFi abuse are also concerns.

Drive-by Download—Any download that happens without a person's consent or knowledge.

Dropper—A program or malware component that has been designed to "install" some sort of malware (ransomware, backdoor, etc.) to a target system. The dropper may download the malware to the target machine once it is received from the command and control server or from other remote locations.

Exploit Kit—A software kit designed to run on web servers with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client.
Examples: lord ek, rig, grandsoft, sweetorange, angler

Fast Flux Botnet—Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

Loader—Malware or malicious code used in the loading of a second-stage malware payload onto a victim's system. The loader is able to hide a malware payload inside the actual loader code instead of contacting a remote location to download a second-stage payload.
Examples: smokeloader, jasperloader, buer, guloader

Malvertising—Injects malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Malvertising is often used in exploit kit redirection campaigns.
Example: hookads

Mobile Trojan—A trojan designed to target and infect mobile phones running Android, iOS, Windows or other mobile operating systems.
Examples: roaming mantis, cerberus, kbuster, x-agent, asacub

Newly Seen Domains—Domains that are newly seen in our DNS logs that we have never seen lookups for in the past. Once a NSD is first seen, it's added to a list where eventually it will expire and no longer be ‘newly seen’. New domains are often 'spun-up' as part of new malware campaigns. However, a significant portion of the domains that are categorized as ‘newly seen’ will not, in fact, be malicious and detections of good domains are expected to occur with this security category.

Point-of-Sale Malware—Used by cybercriminals to target point of sale terminals with the intent to obtain credit card and debit card information by reading the device memory from the retail checkout point of sale system.
Examples: rtpos, dexter, backoff

Ransomware—Malware that installs covertly on a user's computer, encrypts files, and demands a ransom be paid to decrypt the files or to prevent the attacker from publishing any data publicly.
Examples: avcrypt, locky, petya, wastedlocker, wannacry

Remote Access Trojan (RAT)—Malware that allows covert surveillance or unauthorized access to a compromised system. RATs make use of specially configured communication protocols. The actions performed vary but follow typical trojan techniques of monitoring user behavior, exfiltrating data, lateral movement, and more.
Examples: gravityrat, khrat, imminent monitor, loda, parallax

Rootkit—A collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.

Scareware—Malicious software or websites that use social engineering to give the perception of a threat in order to manipulate users into buying or installing unwanted software. Scareware misleads users by using fake alerts to trick them into believing there is malware on their computer and manipulates them into paying money for a fake malware removal tool or allowing an entity remote access to their system to clean the malware. Instead of remediation, the software or remote entity delivers malware to the computer.

Sinkhole—A DNS server that gives out false information, to prevent the use of the domain names it represents. Traffic is redirected away from it's intended target. DNS sinkholes are often used to disrupt botnet command and control servers.

Spam—An unwanted, unsolicited message received through email or SMS texts. Spam is sent to many users in bulk. It is often sent through the means of a botnet. Spam can contain advertising, scams, or soliciting. In the case of malspam or malicious spam, it contains malicious attachments or links that lead to malware.
Example: hailstorm

Trojan—Malware used to compromise a system by misleading users of its true intent. Trojans typically create a backdoor, exfiltrate personal information, and can deliver additional malicious payloads.
Examples: geodo, murofet, rovnix, azorult, lokibot

Worm—Malware that replicates itself in order to spread to other computers. Worms typically spread through the computer network or removable storage devices that are shared between systems, relying on security failures on the target computer.
Examples: conficker, tempedreve

---

Threat Type Details < Threat Type Definiitons > Total Requests Report