To compromise a system, malicious actors need to avoid being detected at the entry point. Malware infections are increasing exponentially and so are the attack vectors. Most malware attacks start with a downloader that opens a door for the attack by downloading and installing the malicious modules and payloads. Downloaders are often observed in non-persistent form and delete themselves after installing the malicious payload in the victim's machine. This paper describes the latest trends of downloaders being used in malware delivery by leveraging multiple attack vectors to spread advanced malware. This research focuses specifically on the malware samples targeting enterprise users.
Through this research, we observed that malware attackers are targeting users with clever social engineering tricks, while in some cases, exploits have also been used to download and install malicious payloads onto victims' machines. A common theme in many of these campaigns involved a downloader malware payload being served first, which performs several checks before delivering the target payload on the compromised machine. To illustrate the trend, we have performed a large-scale analysis on a data set of tens of thousands of malicious downloader samples collected from early 2019 to early 2020 in the ZScaler cloud. Furthermore, analysis is done by constructing a taxonomy based on file formats, scripting languages, and behavioural techniques. Our research focused specifically on the downloader payloads being used by multiple threat actors in different attack campaigns over the past year.
We will look at the recent tactics, techniques, and procedures (TTPs) associated with these malicious downloaders in the wild. We will also showcase details of recent attack campaigns leveraging popular file-hosting services (i.e. Google Drives, Dropbox and AWS cloud) to download malicious modules and payloads.
This research will cover:
- Case studies of obfuscation techniques used in malicious downloaders written in different file formats.
- In-depth research on shell-code being used as downloader and decryption for several pieces of advanced malware.
- Learning on techniques used by downloaders to evade detection.
- Exploitation techniques used by threat actors specifically with downloaders.
- Challenges in detection and attribution of malicious vs legitimate downloaders.