Tag Group
Table of Contents
Tag Group
Tags that are determined by Palo Alto Network’s threat
research team, Unit 42, to have connections to other specific tags
are grouped accordingly. These connections can be based on the genre
of the malware family, the attack campaigns they are associated
with, and by malware design. If your organization has private tags
that are related to a tag group, you can add them to a group editing
the private tag settings.
You can view the individual tag groups by clicking on the Groups tab
on the Tag page. You can also perform searches
based on the name of a tag group.
Tag Group | Description |
|---|---|
| Ransomware | Ransomware is a type of malware that prevents
users from accessing their system or personal files and demands
ransom payment in order to regain access. |
MobileMalware | Mobile malware is malicious software that
targets mobile phones by causing loss or leakage of confidential
information. This group encompasses all mobile malware, such as
Android malware. |
PotentiallyUnwanted Program | PUPs (Potentially Unwanted Programs) are
programs that may include adware, advertising, toolbars, and pop-ups
that are unrelated to the software you downloaded. PUPs are often
bundled with other software that you install. |
Worm | A computer worm is a standalone malware family
that replicates itself in order to spread to other computers. It
often uses a computer network to spread itself, relying on security
failures to propagate across networks. |
PointofSale | Point of Sale (POS) malware targets payment
terminals with the intent to obtain credit card and/or
debit card information. |
BankingTrojan | Banking Trojans are a type of malware
frequently used to steal sensitive information such as banking credentials.
To do so, attackers normally inject malicious code into a website
or a device; the code is frequently delivered through phishing emails. |
ExploitKit | An exploit kit is a utility
program that attackers use to launch exploits against
vulnerable applications. Usually done on a mass scale, exploit kits
are often leveraged to distribute additional malware. Exploit kits
are commonly packaged with exploits that target commonly installed
software like Adobe Flash, Java, etc. |
Cryptominer | Cryptominer hides on computers or mobile
devices to surreptitiously use the machine’s resources to mine cryptocurrencies. |
Rootkit | A rootkit is malware that is designed to
infect a target machine and allow an attacker to install a set of
tools that grant the attacker persistent remote access to the computer.
The malware typically hides deep within the operating system, firmware,
and/or driver suite and can evade detection by anti-malware applications
and other security tools. |
RemoteAccessTrojan | Remote Access Trojans are programs that provide
the capability to allow covert surveillance or the ability
to gain unauthorized access to a victim machine. Often packaged
to imitate legitimate applications, Remote Access Trojans can mimic
behaviors of keylogger applications by allowing the automated collection
of keystrokes, usernames, passwords, screenshots, browser history,
emails, chat logs, etc. |
Wiper | The sole intention of the Wiper malware
is to destroy data on the target machine. Unlike other attacks like
ransomware, which often seeks financial gain, wipers are typically
employed to destroy data and cover the attacker's tracks. |
Backdoor | The dropping (or downloading) of a backdoor is
often the second stage of an attack, where the first stage is the
infiltration of the dropper or downloader. The final stage is gaining
full control of the affected system and leveraging of a backdoor.
In many cases, a backdoor is a payload as
the attacker can build out their command and control infrastructure
once it is functioning. |
OSXMalware | Malware that specifically relates to Apple's
OSX operating system.This group includes viruses, trojans, worms,
and other types of malware that affect the Apple OSX environment. |
LinuxMalware | Includes viruses, trojans, worms and other
types of malware that affect the Linux operating system. |
HackingTool | Hacking tools are commonly
leveraged by attackers to infect, maintain, administer victim machines,
and/or perform denial of service attacks. Some examples of hacking
tools are Metasploit and Cobalt Strike. Hacking tools can also include
administration tools that can be benign or malicious, like Microsoft's
PSEXEC or Netcat. |
SCADA | SCADA specific malware is designed to compromise
SCADA systems by degrading system functionality. This includes malware affecting
PLC logic to malware designed to compromise vulnerabilities in HMI
software. |
Downloader | This type of malware secretly downloads
malicious files from a remote server, then installs and executes
the files. |
| Dropper | A dropper is a type of
Trojan that has been designed to install malware (virus,
backdoor, etc.) onto a target system. A dropper is often considered
one of the first stages of a compromise, since droppers typically
deploy a second stage payload or tool. |
FileInfector | File infector malware propagates malicious
files on to other systems, removable devices, and networks. To do
this routine, they seek out and copy their malicious code to certain
files (.EXE, .DLL, .SYS, and, .HTML, etc). |
DDoS | Malware that contains denial
of service capabilities. |
InternetofThingsMalware | Encompasses and includes malware families
and exploits that exhibit behaviors specifically targeting or infecting
IoT software, firmware, or devices. |
Botnet | A botnet is a number of Internet-connected
devices, each of which is running one or more bots. Botnets can
be used to perform distributed denial-of-service (DDoS) attacks,
steal data, send spam, and allows the attacker to access the device
and its connection. |
Webshell | A web shell is a script that can be uploaded
to a web server to enable remote administration of the machine.
Infected web servers can be either Internet-facing or internal to
the network, where the web shell is used to pivot further to internal
hosts. |
InfoStealer | Infostealers are malicious software programs
that gather confidential information from the compromised computer
to send it to a predetermined location. This can include information
related to the compromised computer, financial data, or user credentials
for various web sites. |
Keylogger | A keylogger is a function which records
keystrokes on a computer. |
Loader | Loaders retrieve malicious executables or
payloads from an attacker-controlled server. |
ATMMalware | ATM malware is malicious software designed to compromise automated teller machines (ATMs) by exploiting vulnerabilities in the machine’s hardware or software. ATM malware is used to commit a crime known as “jackpotting” in which attackers install malware that forces ATMs to dispense large amounts of cash on command. |