FortiGuard Labs has observed a growing number of active droppers during the second quarter of 2022. These droppers include Microsoft Excel, Windows shortcut, and ISO image files, which are spread via various methods.
What do droppers do?
In this quarter, researchers spotted and analyzed three different samples. The first is an Excel file with Excel 4.0 macros, the second is an LNK file, and the third is an ISO file (optical disk image).
- The Excel file along with Excel 4.0 macros samples have mostly been used in Emotet campaigns since last year.
- The LNK file is created to point to a specific target. Double-clicking on the shortcut file executes the target.
- An ISO file is an archive file where the attackers store a malware DLL file and a malicious LNK file.
Their delivery mechanism
Researchers noticed that these dropper samples are using phishing emails combined with social engineering to trick victims into loading the malware onto their devices.
- The emails sometimes contain a password-protected ZIP as an attachment, carrying the droppers.
- In some cases, emails were accompanied by an HTML file attachment. When opened, this attachment extracted the dropper.
- Sometimes, the emails had a direct link in their body, which led to downloading the dropper on the victim's device.
Attack vectors
The droppers spread through phishing emails in three ways; a password-protected ZIP attachment, an HTML file attachment, and an email body having a link to download the dropper.
Malware groups associate with the droppers
- The common malware families used in these samples are Emotet, Qbot, and IcedID.
- In addition, the researchers have spotted the Bumblebee malware loader inside some of the ISO files.
Conclusion
The recent finding shows how actively cybercriminals are using different types of droppers according to their needs. Thus, users are suggested to deploy an email gateway protection and provide training to employees on spotting phishing emails. Having anti-malware solutions with behavior-based detection is also recommended.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d5f0_shutterstock_1126493063.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/ab76_shutterstock_687281011.jpg)
