Glossary

Advanced Threat Detection (ATD) refers broadly to a variety of evolving security techniques employed by malware analysts to detect, identify, and respond to advanced and persistent malware threats.
Cryptolocker is a ransomware family that targeted windows systems and encrypted files on a victim’s system before demanding a ransom in exchange for restored access..
The process of detecting sandbox artifacts is an evasion technique employed by certain malware families. This evasion technique involves an attempt by malware to determine the presence of a sandbox by searching for identifiable artifacts, such as common VM vendor names on files,
Digital Forensics (sometimes referred to as digital forensics science) refers to the field of modern forensics science that deals specifically with the recovery and investigation of digital materials related to acts of alleged or established cybercrimes.
Dynamic analysis refers to the process of analyzing a software program or system while it is running.
Email Threat Detection is a set of detection practices that functions to protect email infrastructure from potentially harmful, targeted malware attacks. These practices should represent the last link in a comprehensive email security apparatus which should also include other, more rudimentary anti-spam and anti-virus scanning tools for best results.
Emotet is a malware family that was first identified by cybersecurity specialists in 2014. In its earliest iterations, it functioned primarily as a banking trojan that attempted to steal financial credentials by intercepting a target system’s network traffic.
An emulation is created when an emulator device (hardware) or program (software) allows for one system (the host) to mimic the functions of a separate system (the guest). An emulation environment is most frequently used to allow a host system to run software programs, peripherals, or other devices designed for
Formbook is a family of data-stealing and form-grabbing malware often described as Malware-as-a-service (MaaS). Since early 2016, malware authors have offered Formbook variants via online hacking forums, frequently with surprisingly mundane subscription pricing models that closely mirror those of legitimate software tools.
A Golden Image is a pre-configured virtual machine (VM) template that can be applied to servers, disk drives, or desktops. It may also be referred to as a clone image or master image, and they are commonly used by system administrators to develop consistent system environments.
GuLoader is what is known as a Trojan and is used by cybercriminals to download and execute secondary malware payloads.
Hooking is a computer programming term that refers to a collection of techniques employed to change how applications or operating systems behave. Hooking involves the interception of function calls, system events, or messages, and the code snippets that perform these interceptions are called hooks.
Intelligent Monitoring is a dynamic malware analysis method that employs an agentless approach with its monitoring capabilities embedded completely in the hypervisor – i.e. outside of the virtual machine where the malware sample is detonated.
Malware analysis is the process of determining the origin, purpose, and functionality of malware samples, and is generally divided into static and dynamic analysis varieties.
A keylogger (sometimes known as a keystroke logger) refers to either a hardware device or a software program that records or ‘logs” keystrokes registered on a keyboard. However, more advanced keyloggers can also record web page visits, take screenshots, and harvest other data.
Malware-as-a-Service (MaaS) is a cybersecurity term referring to malware that is offered by Malware authors and leased to a criminal customer base, generally on a subscription model. It may best be understood in comparison to its legitimate equivalent, software-as-a-service (SaaS), such as commonly used business services like Dropbox, Slack, or
Whereas spam emails are simple unsolicited emails, malspam (or malicious spam) are spam emails that contain malicious payloads, usually in the form of infected documents or malicious URLs that redirect unknowing users to websites hosting malware.
Malvertising (or malicious advertising) is a method used by cybercriminals to distribute malware through seemingly legitimate online advertisements.
Malware (a shorthand for malicious software) refers to any software designed to specifically harm or exploit a computer, network, server, or client.
Malware Analysis is a study or process of determining the origin, purpose, functionality, and potential impact of a malware specimen.
Malware Detection refers to a collection of techniques used to detect potentially harmful malware samples. These techniques are best employed as part of a robust defense system that works to detect malware samples before they have a chance to infect a victim’s system.
A Malware sandbox is a cybersecurity term referring to a specially prepared monitoring environment that mimics an end-user operating environment.

Masslogger is a highly obfuscated spyware/stealer malware family that the VMRay Labs Team has been tracking since 2020.. Masslogger typically arrives as a seemingly benign email attachment and follows an extremely complicated, multi-stage infection process that makes it particularly difficult to detect. Once a system is fully infected, MassLogger can

Pafish (Paranoid Fish) is an open-source tool used to detect the presence of analysis environments, including debuggers, virtual machines, and sandboxes.
Qbot (also known as Qakbot, Quakbot, and Pinkslipbot) is a banking Trojan and stealer malware that has been in circulation for over a decade
Ransomware as Service (RaaS) describes a business model developed by malware authors that provides cybercriminal affiliates the ability to purchase access to ransomware tools and infrastructure to execute ransomware attacks.
Ragnarlocker is a ransomware family first observed in the wild in December 2019. Part of what sets Ragnarlocker attacks apart from many other ransomware operations is the high level of reconnaissance and pre-planning customarily observed in a fully orchestrated attack.
Ransomware is malware that infects computers and displays messages threatening to either prevent a victim from accessing data, or in some cases, threatens to publish a victim’s data publicly.
A Remote Access Trojan (RAT) is a type of malware that allows for remote, unauthorized surveillance, complete access, and administrative control of an infected system.
The term rootkit is a portmanteau of “root,” referring to the administrative account on Unix and Linux systems and a “kit” or collection of software tools that provide administrator-level access.
The term Sandbox Detection refers to a variety of evasion techniques that malware uses to determine whether or not it is being identified and executed within a sandbox.
ETD scans weblinks in emails immediately and not just when they are clicked.
Trickbot was discovered by researchers in 2016, and at that time, was a relatively straightforward banking Trojan. It mainly attempted to steal sensitive data, including usernames and passwords, bank account information, and sometimes cryptocurrency.
A Trojan is malware designed to disguise itself as a legitimate file or program. This type of malware gets its name from the mythic Greek legend of a wooden horse presented as a gift to the besieged city of Troy.
Ursnif (also known as Gozi) is a banking Trojan that generally collects system activity, records keystroke data, and keeps track of network and internet browser activity.
WastedLocker is a ransomware orchestrated by the cybercriminal organization known as Evil Corp, previously associated with other malware families, including Dridex and BitPaymer.
A Zero-Day threat (sometimes called a zero-hour threat) is malware that hasn’t been encountered before, and consequently doesn’t match the signatures of any known malware families.