Sophos has published new research, “Fake Pirated Software Serves Up Malware Droppers as a Service,” detailing how droppers for hire are delivering bundles of malicious and unwanted content to targets looking for “cracked” versions of popular business and consumer applications.
“Paid download and dropper services have been around for a long time, but they continue to evolve and thrive and make money for the operators behind them," said Sean Gallagher senior threat researcher at Sophos.
Research suggests that this success is due in part to the fact that underground demand for account access credentials remains high, and these paid-for services enable less-skilled cybercriminals to implement bulk credential theft and cryptocurrency fraud at minimal cost.
“The dropper-as-a-service operators have also adapted to maximize their profits by bundling a range of malicious or unwanted content in each dropper, hitting victims with a raft of toxic applications in a single download," said Gallagher.
“The last 18 months have seen millions of more people working from home and often using personal devices to do that work. This has extended the risk of malicious dropper downloads to businesses and brought potentially far more lucrative corporate targets within the range of entry-level adversaries. For instance, our research uncovered droppers delivering backdoors such as Glupteba alongside information stealers such as Raccoon Stealer and Crypto Bot," he added.
Dropper-as-a-Service: what happens
SophosLabs recently published research into the Raccoon Stealer information stealer, which was delivered to targets as part of a malicious bundle by a dropper-as-a-service. In a follow-up to this research, researchers have analyzed how these dropper services are able deliver their multiple payloads.
Below is a diagram of what happens when someone clicks to download what they think is pirated software, but which is, in fact, a disguised malware dropper:
