Dubai - Sophos, a global leader in next-generation cybersecurity, has published new research, “Fake Pirated Software Serves Up Malware Droppers as a Service,” detailing how droppers for hire are delivering bundles of malicious and unwanted content to targets looking for “cracked” versions of popular business and consumer applications.

Sean Gallagher, senior threat researcher at Sophos, said:

“Paid download and dropper services have been around for a long time, but they continue to evolve and thrive and make money for the operators behind them. Our research suggests that this success is due in part to the fact that underground demand for account access credentials remains high, and these paid-for services enable less-skilled cybercriminals to implement bulk credential theft and cryptocurrency fraud at minimal cost.

“The dropper-as-a-service operators have also adapted to maximize their profits by bundling a range of malicious or unwanted content in each dropper, hitting victims with a raft of toxic applications in a single download.

“The last 18 months have seen millions more people working from home and often using personal devices to do that work. This has extended the risk of malicious dropper downloads to businesses and brought potentially far more lucrative corporate targets within the range of entry-level adversaries. For instance, our research uncovered droppers delivering backdoors such as Glupteba alongside information stealers such as Raccoon Stealer and Crypto Bot.

“Fortunately, when it comes to organizational security, malware delivered by droppers is easily detectable by security software, either because of its signature or its behavior. However, because malicious packages are in encrypted archives, security technologies don’t detect the malicious files until they are unpacked.”

Dropper-as-a-Service: what happens

SophosLabs recently published research into the Raccoon Stealer information stealer, which was delivered to targets as part of a malicious bundle by a dropper-as-a-service. In a follow up to this research, SophosLabs researchers have analyzed how these dropper services deliver their multiple payloads.

Below is a diagram of what happens when someone clicks to download what they think is pirated software, but which is, in fact, a disguised malware dropper:

InstallUSD is an example of a dropper-as-a-service, and its dropper infrastructure works as follows:

Further technical details on InstallUSD are available in the research blogpost on SophosLabs Uncut.

How to defend against droppers

Sophos recommends that organizations review their security software, settings and policies to ensure they can detect and block malicious and unwanted downloads.

This includes having a robust approach to web filtering. The malware hidden inside a dropper package may only be detectable once it is unpacked and by then it could already be inside the

network. A good web filter will not only scan regular downloads, but also inspect encrypted network traffic. According to Sophos research, more than half of malware now use Transport Layer Security (TLS) encryption for communications. Web filters also protect organizations and its employees from connecting to dangerous or untrustworthy servers in the first place, by blocking bad domains and URLs.

Organizations should complement network security with up-to-date endpoint protection that has behavioral detection capabilities on all of the devices that employees use to remotely access work-related services.

Sophos Firewall and Intercept X for endpoints provide all this functionality and more, including ransomware protection.

Sophos also advises consumers to install a security solution, such as Sophos Home, on the devices that they and their families use for online communications and gaming to protect everyone from malware and cyberthreats. It is also good security practice to avoid downloading and installing unlicensed software from any source. Always check first to make sure it’s legitimate.

If you’d like to speak to Sean Gallagher or another Sophos expert about droppers or any other malware threat, please get in touch.

Additional resources

  • SophosLabs research related to the threats delivered by droppers include: Glupteba malware hides in plain sight and Trash Panda as a service: Raccoon Stealer steals cookies, cryptocoins and more
  • Tactics, techniques, and procedures (TTPs) and more for different types of threats are available on SophosLab Uncut, which provides Sophos’ latest threat intelligence
  • Information on attacker behaviors, incident reports and advice for security operations professionals is available on Sophos News SecOps
  • Learn more about Sophos’Rapid Response service that contains, neutralizes and investigates attacks 24/7
  • The four top tips for responding to a security incidentfrom Sophos Rapid Response and the Managed Threat Response Team
  • Read the latest security news and views on Sophos’ award-winning news website Naked Securityand on Sophos News
Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2021

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.