Contents:
Initial stage malware like malware droppers, malware downloaders, and also document-based installers are the new hidden threats in the cybersecurity world. New Proofpoint research has revealed some interesting aspects about malware dropper-based threats.
What is Malware Dropper?
Malware Dropper stands for a type of trojan that does what it says in its name: drops malware, more specifically install viruses, backdoors, etc. into a system that is targeted. They have the virus inside so that they are able to pass detection systems without a trace or can download it once activated.
The team of Sophos researchers observed the behavior of initial stage malware and what they base upon. In order to pass by the usual payload analysis and ensure their access to the targeted machines, threat actors use TLS (Transport Layers Security) traffic as this is easy for them since TLS-embedded infrastructure for malware and snippets distributing is available for free.
Malware Dropper in Action Through Active Campaigns
Proofpoint experts also engaged in an investigation on the most recent malware loader campaigns. Thus, vendors from UK, Italy, and generally Europe have been the target of Starslord loader (Sload) which acts by persuading users to perform loader execution through scripts such as Powershell and VBS representing their original foothold.
A new version of JSSLoader has come to light and analyzed by the same researchers. It has the feature to load extra payloads and escape being tracked down.
Matanbuchus Loader, the freshest malware-as-a-service threat, has been deploying its malicious activity heavily, using C2 infrastructures to drop second-stage malware.
As Cyware mentions, final payloads like RedLine or Raccoon Stealer, whose role being to perform data theft, have been also a part of the new Smoke Loader campaign. Users are usually redirected to a website that allegedly offers services to their benefits such as privacy tools.
Last, but not least Buer Loader has joined the gang of malware dropper threats and is similar to JSSLoader that facilitates multi-stage attacks, bases on a non-detection feature, as it was renewed to be able to obtain a foothold in the malicious systems.