VirusTotalβs Deception at scale report analyzes how malware abuses trust by hiding in legitimate installers, signing certificates, and masquerading as popular applications to deliver malicious payloads. It highlights social engineering trends and practical techniques researchers can use to monitor and counter evolving campaigns. Hashtags: #ProtonVPN #Jigsaw #Telegram #MicrosoftRootCA #Acer #ASUS
Keypoints
- Top Alexa domains are used to distribute suspicious samples, with 10% of the top sites involved and legitimate hosts for popular apps also distributing malware (0.1%).
- Most malicious samples carry valid signatures, with 87% of signed samples showing a valid certificate since 2021.
- Malware increasingly masquerades as legitimate software, notably icons for Skype, Adobe Acrobat, and VLC.
- There is a growing trend of social engineering where thousands of samples execute or bundle with legitimate installers.
- Execution and compressed parents reveal suspicious relationships between legitimate installers and malware, including known distribution URLs.
- Typosquatting and misuse of valid certificates are highlighted as key techniques used to improve legitimacy and reach.
- VirusTotal demonstrates practical methods (Appendix I) to automate detection of suspicious execution parents via its API.
MITRE Techniques
- [T1195] Supply Chain β Used to distribute malware via legitimate distribution channels after attackers gained access to the official server or certificates β βThis becomes a supply chain attack when attackers get access to the official distribution server, source code, or certificates.β
- [T1116] Code Signing β Malware signs with a valid certificate to appear legitimate; β87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature.β
- [T1036] Masquerading β Malware visually mimics legitimate software icons (Skype, Adobe Acrobat, VLC); βThere has been a steady increase in the number of malware visually mimicking legitimate applications, with Skype, Adobe Acrobat, and VLC comprising the top three.β
- [T1204] User Execution β Malware relies on user action via installers; βIn a growing social engineering trend, 4,000 samples either executed or were packed with legitimate apps installers.β
- [T1583] Acquire Infrastructure β Typosquatting detected using fuzzy_domain queries to find misspelled domains; βThe fuzzy_domain keyword is another very useful search modifier. Based on Levenshtein Distance, it is perfect to find typosquatting attacks by listing all the misspelled domain names.β
- [T1027] Obfuscated/Compressed Files and Information β Malware uses compressed bundles; βWe found around 24% of Compressed Parents are detected as malicious by several antiviruses.β
Indicators of Compromise
- [Domain] β global download and distribution domains β example: hxxps://global-download.acer[.]com/GDFiles/BIOS/Firmware/Firmware_Acer_103_A_A[.]zip, hxxps://dlcdnets.asus[.]com/pub/ASUS/LCD%20Monitors/MB16AMT/MB16AMT_touchFW_vT3_for_MAC_10.15[.]zip
- [Domain] β other legitimate domains used for distribution β example: updates.tdesktop.com
- [URL] β specific distribution URLs (obfuscated) β example: hxxps://global-download.acer[.]com/GDFiles/BIOS/Firmware/Firmware_Acer_103_A_A[.]zip; hxxps://dlcdnets.asus[.]com/pub/ASUS/LCD%20Monitors/MB16AMT/MB16AMT_touchFW_vT3_for_MAC_10.15[.]zip
- [IP] β host addresses observed in distribution traffic β 192.210.173[.]40/files/loader2[.]exe, 192.227.158[.]110/im/kok[.]exe
- [SHA1] β file hashes of sampled binaries β d58903a8cfd10ccbfb515cef67d8d2f18341f580, 8e308387f3fda176c913d72e027263e4fe63e7bf
Read more: https://blog.virustotal.com/2022/08/deception-at-scale.html