According to the latest research findings from VirusTotal, cybercriminals and threat actors are increasingly relying on mimicked versions of genuine, common-use apps such as Adobe Reader, Skype, and VLC Player to successfully conduct social engineering attacks.
In their study of malware, researchers at Google’s VirusTotal revealed that cybercriminals deploy numerous approaches to abuse the trust users have in many reputable apps.
The most widespread tactic is mimicking legit apps to deliver malware. In this technique, the app’s icon is replicated to gain the victim’s trust and convince them to use the mimicked app. The purpose behind this malicious new strategy is to bypass security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.
Another commonly used attack tactic is stealing authentic signing certificates from legit software vendors and using them for signing the malware. Reportedly, since 2021, over one million signed samples had been declared suspicious.
Around thirteen percent of the samples checked by Google’s team didn’t have a valid signature when uploaded on VirusTotal for the first time, and over ninety-nine percent of them were DLL or Windows Portable Executable files.
This happens because the process of examining the validity of a signed file can be abused by malware stated VirusTotal security engineer Vicente Diaz. This becomes concerning when attackers start stealing legit certificates and creating an ideal supply chain attack scenario.
The third technique is incorporating legit installers as a portable executable resource into malicious samples to execute the installer when malware is run.
- Microsoft Office Most Exploited Software in Malware Attacks
- US and China Exposed Most Databases Among 380k Found in 2021
- Fake reviews & third-party apps cause 50% of threats against Android
- 134 million downloads in 85 countries: A look at VPN usage in H1 2020
- Google, Microsoft and Oracle generated the most vulnerabilities in 2021
- Google Drive accounted for 50% of malicious Office document downloads
Over 2 Million Suspicious Files Downloaded from Top Domains
According to VirusTotal’s blog post, ten percent of the top 1,000 Alexa domains had distributed suspicious samples, including the domains commonly used for distributing files, and over 2 million shady files were downloaded from these domains.
Despite the technique’s simplicity, Diaz explains, it can effectively avoid raising red flags for the victim. That’s why many channels are becoming popular as potent malware distribution vectors. This includes the distribution of cracked software.
Most Abused Websites and Apps
The top three mimicked apps include the following:
- Adobe Acrobat
- VLC media player
- Skype VoIP platform
When they researchers examined the URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.
“Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective.”
Furthermore, VirusTotal discovered 1,816 samples since January 2020 masquerading legit software by hiding the malware in installers for popular software like Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.
Other impersonated apps by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom, and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom, and qqcom.
The reason why attackers are using these software and apps is unknown as yet but one reason could be their popularity, Diaz stated.
More Malware News
- Malware families using Pay-Per-Install service to expand targets
- This malware hides behind free VPN, pirated security software keys
- Fake KPSPico Windows activator tool KPSPico steals crypto wallet data
- Malware droppers for hire targeting users on fake pirated software sites
- Researchers Warn of New Variants of ChromeLoader Browser in the Wild