Organizations are being hammered by malware droppers offering threat actors with a multitude of options for multi-stage attacks. This leaves the firms at higher risks of malware threats, data theft, and compromised systems, among others.

Latest malware loader campaigns

Proofpoint researchers dissected a new variant of JSSLoader malware that offered threat actors to evade detections and load additional payloads.
  • In another research, Proofpoint uncovered a new Smoke Loader campaign that delivered data-stealing malware such as Raccoon Stealer and RedLine as final payloads. The initial infection process of the campaign involved luring victims to a fake website offering privacy tools for business and personal use.
  • Sload, also known as Starslord loader, was also spotted in a campaign targeting multiple vendors in Europe, the U.K, and Italy. The malware creators used scripts such as VBS and PowerShell as a part of their initial foothold, tricking users into executing the loader.
  • A new malware-as-a-service called Matanbuchus Loader, capable of dropping second-stage malware from C2 infrastructures, was also being used in the wild by various attackers.

Downloaders evolve to wreak more havoc

  • Not only JSSLoader has evolved to facilitate its operators with multiple options for multi-stage attacks, but another malware downloader named Buer Loader has also been revamped to help get a foothold into compromised systems without being detected.
  • Proofpoint found that the new variant called RustyBuer had affected over 200 organizations across more than 50 verticals across the globe.

Unfolding an interesting aspect

  • In a study conducted by Sophos, researchers discovered that initial stage malware such as loaders, droppers, and document-based installers are heavily relying on malicious TLS traffic to secure their access to victims’ machines.
  • Sophos explains that using TLS is a way to evade basic payload inspection. Moreover, it does not take much sophistication to leverage the protocol in a malware dropper, because TLS-enabled infrastructure to deliver malware or code snippets is freely available.

Final words

Droppers are a well-known type of malware that has been around since the early days of trojans. Besides downloading and installing malware, droppers have been observed exhibiting different behaviors that set it apart from other malware. These include searching for available security controls, connecting to suspicious websites, and attempting to hide connections with sites. Moreover, with the increased ransomware and ongoing malicious emails threats, it is expected that the growing presence of loaders is likely to witness a rise.

Cyware Publisher

Publisher

Cyware