A study of malware submitted to VirusTotal shows cybercriminals and other threat actors are deploying a variety of abuse-of-trust approaches to spread malware and to dodge traditional defenses, often exploiting the implicit trust between a reputable software supplier and the user.
Google Cloud's VirusTotal research team uncovered popular methods including the use of legitimate distribution channels to distribute malware and mimicking legitimate applications. By distributing malware through legitimate domains, malware can often slip through traditional perimeter defenses, including domain or IP-based firewalls — the report says that 10% of the top 1,000 Alexa domains have distributed suspicious samples.
In total, Google found more than 2 million suspicious files downloaded from legitimate Alexa domains, including domains regularly used for file distribution. Another attack vector is the theft of legitimate signing certificates from legitimate software makers, which are then used to sign the malware. Since 2021, more than 1 million signed samples were considered as suspicious, according to a new report from the Google team.
Even when multiple samples used invalid or revoked certificates, victims often failed to confirm the validity of the certificates. Nearly 13% of the samples didn't have a valid signature when they were uploaded for the first time to VirusTotal, and more than 99% of them were Windows Portable Executable or DLL files, according to the report.
"We were surprised at how many signed malware samples we found, many of them appearing as valid at the time of the analysis," says Vicente Diaz, a VirusTotal security engineer. "Unfortunately, the process of checking if a signed file is valid is not trivial and can be abused by malware to avoid different security measures or, once again, abuse the victim's trust."
This is especially worrisome in the case of attackers stealing legitimate certificates, which potentially creates a perfect scenario for supply chain attacks. Attackers are increasingly deploying malware disguised as legitimate software, a basic social engineering success gaining traction. When using this method, the application's icon, recognized and accepted by the victim, is used to convince them the app is legitimate.
"Most of the time, we saw this technique being abused by attackers in relatively simple attacks, with legitimate software being a decoy for the victim," Diaz says. "In other words, this means installing both the malware and the software that the victim thought they were legitimately installing."
He explains that despite its simplicity, this technique can still be effective and avoid raising the alarm for the victim. "We also believe this might be a growing trend as some channels seem to be gaining popularity as malware distribution vectors, including distribution of cracked software and similar — which makes a perfect scenario for these kinds of attacks," Diaz says.
The popular VoIP platform Skype, Adobe Acrobat, and media player VLC comprised the top three most mirrored app icons, according to the report. "Adobe Acrobat, Skype and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective," the report notes.
Diaz says it's unclear why attackers are choosing that software — other than its popularity. "That could also be circumstantial based on specific campaigns leveraging these applications," he says. "Our belief is that attackers regularly rotate mirrored software based on popularity, campaigns, or other circumstances — and we will be monitoring its future evolution."
The VirusTotal team conducted a similar analysis on URLs using website icon similarity, finding WhatsApp, Facebook, Instagram, and iCloud to be the top four most abused websites by several different URLs suspected of being malicious. Considering the growing trend of visually mimicking legitimate apps, the research team says it plans continued analysis of the most frequently targeted apps.
Bypassing Security Awareness
Diaz explains the abuse of these legitimate resources seems to be an effort by attackers to override what has been taught to users — such as checking that a linked domain is legitimate, making sure what you are installing has the expected icon and that the executable is signed.
"This seems like a natural trend to bypass some basic precautions from the user and some simple security measures, such as blocking some domains," he says. "I don’t necessarily think that attackers will be changing their tactics a lot — they are simply adjusting their defenses and distribution channels accordingly."
He adds that it is interesting to note the increase of attackers abusing legitimate distribution channels and top domains using either encrypted content or multicomponent artifacts that are hard to identify as malicious on their own.