According to the latest research results from VirusTotalCybercriminals and threat actors are increasingly relying on imitation versions of genuine and mainstream applications such as Adobe Reader, Skype, and VLC Player to carry out social engineering attacks.
In their malware study, Google’s VirusTotal researchers revealed that cybercriminals deploy numerous approaches to abuse users’ trust in many reputable applications.
The most common tactic is imitate legitimate apps to spread malware. In this technique, the app icon is replicated to gain victim’s trust and convince them to use the imitated app. The purpose of this new malicious strategy is to bypass security solutions such as IP or domain firewalls on devices and spread malware through trusted domains.
Another commonly used attack tactic is to steal genuine signing certificates from legitimate software vendors and use them to sign the malware. According to reports, since 2021, more than one million signed samples have been declared suspicious.
About thirteen percent of the samples checked by the Google team did not have a valid signature when first uploaded to VirusTotal, and more than ninety-nine percent of them were DLL or Windows Portable Executable files.
This happens because the process of examining the validity of a signed file can be abused by malware, said Vicente Diaz, security engineer at VirusTotal. This becomes concerning when attackers start stealing legitimate certificates and creating a ideal supply chain attack scenario.
The third technique is to embed legitimate installers as a portable executable resource in malicious samples to run the installer when malware is executed.
- Microsoft Office software most exploited in malware attacks
- US and China exposed most of 380,000 databases found in 2021
- Fake reviews and third-party apps drive 50% of Android threats
- 134 million downloads in 85 countries: A look at VPN usage in the first half of 2020
- Google, Microsoft and Oracle generated the most vulnerabilities in 2021
- Google Drive accounted for 50% of malicious Office document downloads
Over 2 million suspicious files downloaded from top domains
According to VirusTotal blog postten percent of Top 1,000 Alexa Domains distributed suspicious samples, including domains commonly used for file distribution, and more than 2 million questionable files were downloaded from these domains.
Despite the technique’s simplicity, Diaz says, it can actually avoid raising any red flags for the victim. That’s why many channels are becoming increasingly popular as powerful malware distribution vectors. This includes the distribution of cracked software.
Most Abused Websites and Apps
The three main applications imitated are:
- Adobe Acrobat
- VLC Media Player
- Skype VoIP platform
When researchers looked at URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.
“Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection rate, making them probably the top three apps and icons to be aware of from a social engineering perspective.”
Additionally, VirusTotal has discovered 1,816 samples since January 2020 cloaking legitimate software by hiding malware in installers of popular software such as Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.
Other apps spoofed by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom and qqcom.
Why attackers use such software and apps is still unknown, but one reason could be their popularity, Diaz said.
More malware news
- Malware families using the Pay-Per-Install service to expand their targets
- This malware hides behind free VPN, hacked security software keys
- KPSPico fake Windows activation tool KPSPico steals crypto wallet data
- Malware droppers for hire targeting users on fake pirated software sites
- Researchers warn of new ChromeLoader browser variants in the wild