A malware investigation submitted to VirusTotal shows that cybercriminals and other threat actors use various forms of trust abuse to spread malware and evade traditional defenses, often leveraging the implicit trust between a reputable software vendor and the user.
Google Cloud’s VirusTotal research team discovered popular methods, including using legitimate distribution channels to spread malware and impersonate legitimate applications. Spreading malware through legitimate domains often allows malware to slip through traditional perimeter defenses, including domain or IP-based firewalls. According to the report, 10% of the top 1,000 Alexa domains distributed suspicious samples.
In total, Google found more than 2 million suspicious files downloaded from legitimate Alexa domains, including domains that are regularly used for file distribution. Another attack vector is the theft of legitimate signing certificates from legitimate software makers, which are then used to sign the malware. Since 2021, more than 1 million signed samples have been deemed suspicious, according to a new report from the Google team.
Even when multiple samples used invalid or revoked certificates, victims were often unable to confirm the validity of the certificates. According to the report, nearly 13% of the samples did not have a valid signature when uploaded to VirusTotal for the first time, and more than 99% of those were Windows Portable Executable or DLL files.
“We were amazed at the number of signed malware samples we found, many of which appeared to be valid at the time of the analysis,” said Vicente Diaz, a VirusTotal security engineer. “Unfortunately, the process of checking if a signed file is valid is not trivial and can be exploited by malware to avoid various security measures or, again, abuse the victim’s trust.”
This is especially worrisome in the event that attackers steal legitimate certificates, potentially creating a perfect scenario for supply chain attacks. Attackers are increasingly using malware disguised as legitimate software, a basic social engineering success that is gaining popularity. When using this method, the application icon, recognized and accepted by the victim, is used to convince them that the app is legitimate.
“Most of the time, we saw this technique being exploited by attackers in relatively simple attacks, where legitimate software was a lure for the victim,” says Diaz. “In other words, this means installing both the malware and software that the victim thought they were installing legitimately.”
He explains that despite its simplicity, this technique can still be effective and avoid raising the alarm for the victim. “We also think this could be a growing trend as some channels seem to be gaining popularity as malware distribution vectors, including distribution of cracked software and the like, which is a perfect scenario for this type of attack,” says Diaz.
Popular VoIP platform Skype, Adobe Acrobat and media player VLC are the top three most mirrored app icons according to the report. “Adobe Acrobat, Skype and 7zip are very popular and have the highest infection rates, probably making them the top three applications and icons to be aware of from a social engineering perspective,” the report notes.
Diaz says it’s unclear why attackers choose that software, other than its popularity. “That could also be indirect based on specific campaigns that use these applications,” he says. “Our belief is that attackers regularly rotate mirrored software based on popularity, campaigns or other circumstances – and we will monitor its future evolution.”
The VirusTotal team conducted a similar analysis on URLs using website icon similarity, finding WhatsApp, Facebook, Instagram and iCloud in the top four most abused websites by various URLs suspected of being malicious. Given the growing trend of visually mimicking legitimate apps, the research team says it plans to further analyze the most targeted apps.
Bypassing Security Awareness
Diaz explains that the misuse of these legitimate resources appears to be an attempt by attackers to ignore what users have been taught – such as checking if a linked domain is legitimate, making sure what you install has the expected icon, and the executable has been signed.
“This seems like a natural trend to get around some basic user precautions and some simple security measures, such as blocking some domains,” he says. “I don’t necessarily think attackers will change their tactics much — they just adjust their defenses and distribution channels accordingly.”
He adds that it’s interesting to see the proliferation of attackers exploiting legitimate distribution channels and top domains using encrypted content or multi-component artifacts that are difficult to identify as malicious on their own.