An analysis from VirusTotal has revealed applications like Skype, Adobe Reader, 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, WhatsApp, Telegram and VLC Player have become the most impersonated software to increase the likelihood of a successful social engineering attack.
“One of the simplest social engineering tricks we’ve seen involves making a malware sample seem a legitimate program,” VirusTotal said in a Tuesday report. “The icon of these programs is a critical feature used to convince victims that these programs are legitimate.”
Compromising legitimate endpoints by tricking users into downloading and running seemingly innocuous executables is becoming more and more profuse.
How Is It Done:
By taking advantage of genuine domains in a bid to get around IP-based firewall defenses from some of the top abused domains like discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com., whose servers host the popular apps.
As an example, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa’s top 1,000 websites have been detected.
The misuse of Discord (discordapp[.]com) with the platform’s content delivery network (CDN) becoming a fertile ground for hosting malware alongside Telegram, while also offering a “perfect communications hub for attackers.”
Stolen Security Certificates
Malware can show valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.
Counterfeit Installers
VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.
Legitimate Installers
Attackers manage to break into a legitimate software’s update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of malicious programming and cause havoc on supply chain logistics.
Legitimate application installers are also packed in compressed files along with the malware files. The legitimate Proton VPN installer contained malware that installs ransomware.
A third more sophisticated method incorporates the legitimate installer into the malicious sample so that the installer is also executed when the malware is giving the illusion that the software is working as intended.
“When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like the stolen certificates above) in the short and mid-term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways,” the researchers said.