According to cybersecurity specialists, malware authors are increasingly depending on dropper-as-a-service (DaaS) platforms to propagate their malicious inventions. Sophos recently published a report detailing the rise of DaaS platforms that infect victims who visit piracy websites in search of cracked versions of major business and consumer software.
A dropper is a programme that, when run, executes malicious code as a payload. The dropper is similar to a trojan, and it may have additional functions, but its primary goal is to get malware onto a victim's computer, which can be downloaded over the internet or unpacked from data within the dropper.
A customer pays for a dropper-as-a-service to deliver their malware to these systems through droppers. Typically, the DaaS employs a network of websites to transmit droppers to victims' computers, which then install and execute the customer's malware. Droppers could be camouflaged as legitimate or cracked software that netizens are fooled into installing.
“During our recent investigation into an ongoing Raccoon Stealer (an information-stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages,” Sophos researchers Sean Gallagher, Yusuf Polat shared in a joint blog post.
The Sophos duo, who were assisted by Anand Ajjan and Andrew Brandt, dubbed this part of the "malware-industrial complex," saying that such services made it "very inexpensive for would-be cybercriminals with limited expertise to get started" in the criminal underworld. For 1,000 virus installs using droppers, some of these firms charge as little as $2.
The researchers point out that DaaS frequently bundles a variety of unrelated malware in a single dropper, including click-fraud bots, information stealers, and even ransomware.
The Raccoon Stealer campaign was not the only one that used DaaS, according to the researchers. Sophos continued to see more malware and other dangerous information transmitted over the same network of sites even after the campaign had stopped. “We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products,” said the researchers.