Cybercriminals are increasingly using Dropper-as-a-Service platforms to distribute malware. And according to security researchers, this trend is here to stay. Here’s what you should know about it and how to protect yourself.
SEE ALSO: HIPAA compliant email
What is it?
To understand Dropper-as-a-Service, one must first understand that a dropper is a malicious program designed to deliver malware to a target system. Generally, the dropper itself does not perform malicious functions- it serves as the Trojan horse to install malicious programs- its payload - that the target’s device would otherwise block. Droppers impede malware detection at the downloading stage and neutralize the system’s defenses before installing the payload. The dropper’s payload usually contains several malware tools as well as harmless files that serve to mask the installation of the malware.
Droppers can be persistent or nonpersistent. Persistent droppers are the most dangerous. They attach themselves to a hidden or random file and create registry keys which run on the compromised system after it is restarted so the malware is downloaded again and again. In order to remove the dropper, both the hidden file and keys need to be found Non-persistent droppers are more common but less harmful. After their malware payload has been dropped, they delete themselves.
Now to Dropper-as-a-Service (Daas). There is a high underground demand for account access credentials and Dropper-as-a-Service is opportune for less-skilled cybercriminals to execute bulk credential theft at a cost as low as $2 for 1,000 malware installs. Customers pay to have their malware distributed to targets via droppers. DaaS typically uses a network of “cracked” websites to deliver droppers onto the target’s system that, when run, install and execute the customer’s malware. Cybercriminals maximize profits by hitting victims with a multitude of fraudulent applications in a single download.
How it works
This new distribution of malware was uncovered during an investigation into Sophos’ investigation into Raccoon Stealer. They discovered that networks leverage search engine optimization (SEO) to put a “bait” webpage on the first page of results. Many of these bait pages are hosted on blog platforms that advertise “cracked” software, such as antivirus installers that have bypassed licensing requirements. Clicking on these bait pages directs you to a download site that hosts malware or steers you to a browser plugin or application.
You could also be prompted to allow notifications, which if you allow it to happen, allows the website to issue false malware alerts. If you click the alerts, you’re directed through a series of sites until arrival at a destination that’s determined by your operating system, browser type and geographic location. Only victims with the “right” combination are sent to the malicious download site.
Why does it matter?
Over the last year and a half, millions of people have started working from home due to the COVID-19 pandemic. This shift has extended the risk of cybercriminals accessing sensitive business information from personal devices used to do professional work. This is an opportunity for less-skilled hackers to reach big corporate targets through significantly less safeguarded personal devices.
SEE ALSO: Cybersecurity risk management: How companies are responding to COVID-19 and remote work
You may remember the Trickbot ransomware attack on US hospitals in October of 2020. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) issued a warning about an “imminent cybercrime threat to US hospitals and healthcare providers” when they received a tip that a ransomware group planned to deploy ransomware at over 400 US healthcare facilities.
Dropper-as-a-Service websites are able to more easily target sectors like healthcare that have access to sensitive information, like electronic health information (ePHI) when it is being accessed from personal devices.
How can you prevent this from happening to you?
You can never be too prepared to protect yourself from malware, especially one like Dropper-as-a-Service that baits you to download innocent-looking software, such as an antivirus installer. Breaches are bound to occur, and it is important to have safeguards in place to protect sensitive and private information. Consider communicating with patients through HIPAA compliant email instead of traditional email.
Paubox Email Suite encrypts any and all outbound email by default, ensuring the privacy of your intended recipient. Our solution is straightforward to use and integrates with Google Workspace, Microsoft 365, or Microsoft Exchange. Emails are delivered directly to your recipients’ inboxes; they don’t need to use portals, plugins, or apps to securely read your message. Stop using snail mail and start using email. You could save yourself a million dollars in fines.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.