One of the most effective social engineering techniques is to hide malware by putting it in installation packages with legitimate software. This quickly leads to a supply chain attack when attackers gain access to the official distribution server, source code or certificates. To investigate this attack method, VirusTotal checked files submitted to the online service and distributed from known legitimate domains. Of the nearly 80,000 files found, 78 were detected as potentially malicious by more than five percent of antivirus programs.
Some key findings of the report summarized:
- 10 percent of the top 1,000 Alexa domains spread suspicious samples.
- 0.1 percent of legitimate hosts for popular applications spread malware.
- 87 percent of the more than one million signed malware samples uploaded to VirusTotal since January 2021 have a valid signature.As part of a growing social engineering trend, 4,000 samples were either executed or compressed with legitimate app installers.
- The number of malware programs that visually mimic legitimate apps has steadily increased, with Skype, Adobe Acrobat and VLC being the top three.
- 98 percent of the samples that contained legitimate installers in their PE resources were malicious.
Another method mentioned in the VirusTotal report, “Deception at scale: how malware abuses trust,” is spreading malware via software visually disguised as legitimate. VirusTotal can be an effective tool to look for visual similarities between files and websites, which is useful for detecting malware that steals icons from legitimate applications. The web service notes that the number of malware programs that visually imitate legitimate applications has been steadily increasing.
Still a problem, according to the report, is the misuse of legitimate certificates. By way of background, samples signed with legitimate certificates were long considered safe for the operating system and some security solutions. Unfortunately, attackers have abused that trust by stealing legitimate signing certificates and using them to sign their malware to make it appear that they came from legitimate software vendors. Researchers from Google Chronicle have already conducted investigations into this method almost three years ago.
VirusTotal’s regular reports are intended to help understand the dimension of the techniques under discussion, some of which are becoming increasingly popular. After all, it is important to understand what techniques are used to deploy malware in order to increase its effectiveness. Equally important is being able to defend against that malware. The analysis and description of the deception methods described in the report, as well as the implementation ideas presented in the associated blog post, should help to actively monitor and understand the evolution of future malware campaigns.