Cybersecurity, now malware hides in legitimate domains

The study by VirusTotal, a Google Cloud team specializing in cybersecurity, highlights how the use by cybercriminals of distribution channels considered reliable allows them to escape traditional perimeter defenses 03 Aug 2022 Domenico Aliperto placeholder image

Cybercriminals are taking new approaches to spreading malware and circumventing traditional defense systems. Underpinning these strategies is the ability to leverage end-users' trust in the most trusted and market-facing software providers. To say it is a report by VirusTotal, a Google Cloud team specialized in cybersecurity issues, which underlines how the use of legitimate distribution channels for the spread of malware allows you to escape traditional perimeter defenses, including domain-based firewalls or IP.

Index of topics • A phenomenon that continues to grow • Malware lurking in legitimate software A phenomenon that continues to grow The study states, for example, that 10% of the top thousand Alexa domains distributed suspicious samples. In total, Google found over 2 million suspicious files downloaded from these domains, including those regularly used for file distribution. Another attack vector is the theft of legitimate signature certificates by equally legitimate software manufacturers, which are then used to sign the malware.

The report highlights how malware perpetrated through stolen signature keys is therefore more frequent than expected: malicious software that runs legitimate installers or inserts them into the same compressed file inside the malware sample, is probably not as common as other documented techniques, but represents a constant and slightly increasing trend. Visual imitation of legitimate applications, on the other hand, is a growing trend and targets a number of popular applications (Skype, Adobe Acrobat, Vlc). Also because popular domains used by legitimate organizations are regularly used to distribute malware, including popular application hosting sites. Samples signed with legitimate certificates have been, for a long time, considered safe to use by the operating system and some security solutions. Unfortunately, the attackers abused this trust by stealing legitimate signing certificates and using them to sign their malware, making them appear as if they came from legitimate software manufacturers. "We explored VirusTotal's database and found that as of 2021 more than a million signed samples have been considered suspicious (with more than 15% of antiviruses detecting them as malicious). However, not all samples had a valid signature when they were created as the attackers reused revoked or invalid certificates, often the validity of the certification chain is not verified by the victim. Specifically, nearly 13% of these samples did not have a valid signature when they were first uploaded to VirusTotal. More than 99% of these signed files are Windows Portable executable or Dll files," explain the experts at VirusTotal. Malware lurking in legitimate software One of the simplest social engineering tricks encountered by VirusTotal is to make a sample of malware look like a legitimate program. The icon of these programs is a key feature used to convince victims that these programs are safe. To prove this, a number of frequently downloaded Windows software was analyzed, using fuzzy logic to find suspicious samples (with more than five antiviruses detecting it as malicious) using visually similar icons. This can give an idea of how widespread this technique is. Another effective social engineering technique is to disguise malware as legitimate software by inserting it inside installation packages. These supply chain attacks work when attackers gain access to the official distribution server, source code, or certificates. To find potential cases where attackers could use legitimate hosting servers to distribute malware, they scanned samples downloaded from a subset of 35 legitimate domains hosting popular software packages. From 2020 to date, VirusTotal has found about 80 suspicious files (with more than 5% of antivirus detecting them as malicious) on 80 thousand files distributed (about 0.1%). In addition to the detection rate, the relationships for all the files served were explored to understand if they were performing suspicious activities or if they had been deleted by malware files. "VirusTotal is in a unique position to provide a source of complete visibility into the malware landscape," the report's authors comment. "Over the past 16 years, we have processed more than two million files a day in 232 countries. VirusTotal also leverages the continuous contribution of its user community to provide a relevant attack context. We use this crowdsourced intelligence to analyze relevant data, share an understanding of how attacks develop, and help inform about how they might evolve in the future. This relationship continues in the direction of what we hope will become an ongoing community effort to discover and share useful information about malware trends."