Dissected: A dropper-as-a-service miscreants pay to push their malware onto potentially 1,000s of victims

Sophos gazes into the abyss


A dropper-as-a-service, which cyber-crime newbies can use to easily get their malware onto thousands of victims' PCs, has been dissected and documented this week.

A dropper is a program that, when run, executes a payload of malicious code. The dropper is similar to a trojan, and it can sometimes have other functionality, but its main purpose is to get malware – which could be fetched from the internet, or unpacked from data within the dropper – running on a victim's computer.

With a dropper-as-a-service (DaaS), a customer pays to have their malware distributed to these computers via droppers. The DaaS typically uses a network of websites to deliver droppers onto victims' PCs that when run install and execute the customer's malware. The droppers could be disguised as legit or cracked applications that netizens are tricked into running. These sorts of operations have been around for a long while, though it doesn't hurt to keep up to date with what's out there right now.

While investigating the spread of information-harvesting malware dubbed Raccoon Stealer, Sophos' Sean Gallagher and Yusuf Polat uncovered what they on Wednesday said was "a network of websites acting as a 'dropper as a service'."

Dubbing this part of the "malware-industrial complex," the Sophos duo, who were helped by Anand Ajjan and Andrew Brandt, said such services make it "relatively inexpensive for would-be cybercriminals with limited skills to get started" in the criminal underworld. Some of these services charge just $2 for 1,000 malware installs via droppers.

The network uncovered by Sophos used as bait supposedly cracked software that was advertised on a big bunch of blogs; in most cases, antivirus installers that claimed they bypassed licensing requirements. Executables ultimately obtained from these pages would contain a dropper. Thus instead of gaining protection, users running this code would end up with junk like the Stop ransomware, Raccoon Stealer, the Glupteba backdoor, and "a variety of malicious cryptocurrency miners," as Sophos put it.

If you visited one of these pages on macOS or Linux, you'd be redirected through a maze of traffic-generating affiliate links; if you visited from a Windows PC, eventually you would probably be served a .zip archive to open. So-called tracker sites would be used to determine whether or not you should be offered a .zip or not. "The tracker sites, and many of the bait blogs, were behind Cloudflare’s CDN, and almost all were registered through Namecheap," the Sophos pair wrote.

The downloaded .zip contained a password-protected .zip archive and a note with the necessary password; the use of password-based encryption is an attempt to thwart antivirus scanners. Once opened, the .zip contains a program that when run appears to crash – making the user think their cracked application didn't work – but in reality it's actually connecting to the internet to fetch further payloads. These range from malicious browser extensions that steal Facebook session cookies to info-stealing malware dubbed CryptBot.

Happily, the droppers are "easily detectable," meaning in a corporate environment at least this particular campaign should be noticed. Sophos' full research can be read here.

Following the rise of -as-a-service business practices across the software world in the early 2010s, malware developers have been inspired by the practice of making software and its functionality available via subscription. In the mid-2010s ransomware-as-a-service (RaaS) arose, becoming the dominant business model for ransomware creators by the time of the 2019 extortionware pandemic, while at around the same time DDoS-as-a-service became an irritating feature of life. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021