Malware spotlight: Droppers
There’s a cloud of confusion around droppers. Often seen as a sort of helper program in a cyberattack, droppers are actually a type of malware that plays an instrumental role. It should be considered its own type of malware because it is responsible for a number of malicious actions.
This article will explore the dropper type of malware and examine what droppers are, how droppers spread, how droppers work, persistent versus non-persistent droppers the dangers of low-cost devices and other valuable information that will give you a better picture of this misunderstood malware.
Become a certified reverse engineer!
What is a dropper?
Droppers are a type of Trojan and are so distinct that they are their own breed. Their signature purpose is to install other malware once they are present in a system. In fact, they are named droppers because they drop malware and malware components into a compromised system. This activity is what has earned droppers the nickname “the malware that precipitates malware.”
In order to better avoid detection, droppers do not normally save to disk on a compromised system. Instead, droppers usually delete themselves after their purpose has been fulfilled. They often perform different actions in the furtherance of the attack goal.
How droppers spread
Droppers can be spread many ways. Some are obvious and easy to avoid — such as an attachment to spam emails, for example. Other methods of spreading droppers, such as drive-by downloads, are quite stealthy and invite droppers into a system by merely visiting an infected website.
The most common ways droppers are spread include:
- Visiting malicious websites
- Clicking malicious links
- Spam email attachments
- Inserting infected removable media
- Using an infected internet proxy
- Downloading infected freeware
Droppers may also be spread by infected apps — even that widely-used, seemingly legitimate app you downloaded last night. Researchers recently discovered that CamScanner, a popular Android app with over 100 million downloads, has had a dropper hidden within it for some time.
How do droppers work?
No two droppers are the same. Some droppers operate as stand-alone programs and some are part of a greater malware package, often as part of a malware family that offers a one-stop-shop approach to cyberattacks.
Despite this diversity of form and function, most droppers have the following abilities in common.
Installer
This first ability that droppers have in common is the installer. Droppers will download malware (or its components), decompress the malware or modules and then install them. This activity does not cause damage to the system per se, but it sets up the malware that causes this damage. If malware was tried in a court of law, droppers would be accomplices at best and co-conspirators at worst.
Avoiding detection
The second ability that nearly all droppers have is the ability to avoid detection. Nothing would frustrate an attack campaign more than gaining a proverbial beachhead in an infected system only to be detected once the dropper begins downloading and installing malware.
One way that droppers can avoid detection is to create a lot of noise around a malicious module trying to hide from detection. This noise can be created by downloading and decompressing harmless, unrelated files.
Common dropper behavior
Aside from the abilities listed above, droppers have been observed to exhibit the following behavior that sets it apart from other types of malware.
- Searching for available security controls — including firewalls, anti-malware/antivirus, IPS and so forth
- Connects to unknown, suspicious websites
- Attempts to anonymize or hide connections with sites
- Connects to sites in strange places, including parts of the world known for higher-than-normal threat actor activity
- Downloads other files and programs, especially those that are malicious
- Executes unknown or anomalous files and programs
- Deletion of itself after performing the actions above
Non-persistent versus persistent droppers
When writing an article, you would normally list the affirmative before the negative. In this situation, however, the header above is quite appropriate. There’s a world of difference between these two types of droppers, enough to make one kind nothing more than an annoyance and the other an absolute nightmare.
Non-persistent droppers are the most common type of dropper and the least harmful. After their malware payload has been dropped, they simply delete themselves and never appear again. This is the type that has earned droppers their servo-mechanism reputation.
Persistent droppers are far more dangerous and are what qualifies droppers to be considered their own malware. With this type, the dropper attaches itself to some hidden, random file and creates registry keys instead of deleting itself. These registry keys are used to run the compromised system after it is restarted so the malware or malicious modules can be downloaded again. This makes removal much more difficult because both the hidden file and created keys must be found and removed in order to remove the dropper.
The danger of low-cost devices
Nothing in life is free (or sometimes even cheap). You know that off-brand Android phone you bought to use as a test device (or handheld tablet)? Chances are that it’s infected with a dropper or ten.
It turns out that the same CamScanner app dropper was found to be on over 100 low-cost Android devices. This means that unless you can find and remove this dropper, your low-cost Android device may be downloading and installing malicious modules on your phone all day long.
Conclusion
Droppers are a well-known type of malware that has been around since the early days of Trojans. They download, decompress, and install malware onto a compromised system only to dig into the compromised system by attaching itself to a hidden file or deleting itself.
Malware researchers sometimes categorize droppers as merely a part of Trojans. But when their importance in attack campaigns and their independent nature of persistent droppers are taken into consideration, droppers should be considered their own type of malware altogether.
Sources
- Trojan-Dropper Malware, Weborion
- Droppers – Malware that Precipitates Malware, Lastline
- Dropper, TechTarget
- Trojan Dropper Malware Found in Android App With 100M Downloads, Bleeping Computer
- Trojan dropper, Malwarebytes
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Malware spotlight: Droppers
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis