A dropper as a service that criminals pay to distribute their malware to thousands of potential victims • The Register

A dropper as a service, which cybercrime newbies can use to easily install their malware on the PCs of thousands of victims, was dissected and documented this week.

A dropper is a program that, when executed, executes a payload of malicious code. The Dropper is similar to a Trojan horse, and it can sometimes have other features, but its main purpose is to run malware – which can be retrieved from the Internet or unzipped from the dropper data. – running on a victim’s computer.

With a dropper as a service (DaaS), a customer pays for their malware to be distributed to these computers through dropper boxes. DaaS typically uses a network of websites to deliver droppers to victims’ PCs which, when executed, install and run client malware. The droppers could be disguised as legitimate or hacked applications that internet users are tricked into running. These kinds of operations have been around for a long time, although it doesn’t hurt to keep abreast of what’s out there right now.

While investigating the spread of information-gathering malware dubbed Raccoon Stealer, Sophos’ Sean Gallagher and Yusuf Polat discovered what they said on Wednesday to be “a network of websites acting like a” dropper as a “” service.

Dubbing this part of the “malware-industrial complex”, the Sophos duo, who were aided by Anand Ajjan and Andrew Brandt, said such services make it “relatively inexpensive for potential cybercriminals with limited skills to get started” in the criminal world. . Some of these services only charge $ 2 for 1,000 installs of malware through droppers.

The network discovered by Sophos used as bait an allegedly cracked software which was advertised on a large number of blogs; in most cases, antivirus installers who claimed to have bypassed licensing requirements. The executables finally obtained from these pages would contain a dropper. So instead of getting protection, users running this code would end up with junk files like Stop ransomware, Raccoon Stealer, Glupteba backdoor, and “a variety of malicious cryptocurrency miners,” as Sophos puts it. .

If you visited any of these pages on macOS or Linux, you would be taken to a maze of affiliate links generating traffic; if you are visiting from a Windows PC, you will probably end up receiving a .zip archive to open. So-called tracking sites would be used to determine whether or not a .zip should be offered to you. “Tracking sites and many bait blogs were behind Cloudflare’s CDN, and almost all of them were registered through Namecheap,” the Sophos pair wrote.

The downloaded .zip file contained a password protected .zip archive and a note with the required password; using password encryption is an attempt to thwart virus scanners. Once opened, the .zip file contains a program which, when executed, appears to crash – making the user think their cracked app didn’t work – but in reality it connects to the internet to recover other payloads. These range from malicious browser extensions that steal Facebook session cookies to information stealing malware called CryptBot.

Fortunately, the droppers are “easily detected” which means that in a corporate environment, at least this particular campaign should be noticed. Sophos’ full research can be read here.

Following the boom in business as a service practices in the software world in the early 2010s, malware developers were inspired by the practice of making software and its functionality available through subscription. In the mid-2010s, ransomware-as-a-service (RaaS) emerged, becoming the dominant business model for ransomware creators around the time of the 2019 extortion pandemic, while roughly in At the same time, DDoS-as-a-service has become an irritant. characteristic of life. ®


Source link

Comments are closed.