Google’s VirusTotal has revealed that Adobe Reader, Skype, and VLC Player are among the top software impersonated by cybercriminals and threat actors to abuse trust relationships and successfully conduct social engineering attacks.
Apart from these, other most impersonated legitimate apps by hackers and other cybercriminals by icons include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp.
“One of the simplest social engineering tricks we’ve seen involves making a malware sample seem a legitimate program,” VirusTotal said in a Tuesday blog post. “The icon of these programs is a critical feature used to convince victims that these programs are legitimate.”
Also Read- Best Antivirus Software For Windows PC
In their study of malware, VirusTotal researchers discovered that cybercriminals use numerous approaches to trick unwitting users into downloading and running seemingly harmless executables.
This is a common technique by which attackers use legitimate domains for malware distribution. The purpose behind this malicious new strategy is to take advantage of genuine domains in a bid to evade security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.
Some of the top exploited domains are discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com. For instance, 2.5 million suspicious files were found to have been downloaded from 101 domains belonging to Alexa’s top 1,000 websites.
Another commonly used attack method by threat actors is stealing legitimate signing certificates from software vendors and using them to sign their malware, and making them appear as though they came from legitimate software makers. Reportedly, out of the one million malicious samples found since January 2021, 87% had a valid signature when they were first uploaded to its database.
In particular, close to 13% of these samples did not have a valid signature when they were uploaded for the first time to VirusTotal. Also, more than 99% of these signed files were Windows Portable Executable or DLL files.
VirusTotal said it also discovered 1,816 samples since January 2020 that impersonated as legitimate software with actual installers for popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.
“In some cases, such as supply chain attacks, attackers can steal or compromise legitimate infrastructure, source code or certificates used to sign legitimate applications,” said Vicente Diaz, Security Engineer at VirusTotal, a unit of Google Cloud.
This becomes worrying when attackers start stealing legit certificates and creating legitimate applications or infrastructure in order to increase their success when targeting a victim.
Lastly, the third method of attack is integrating legitimate installers as a portable executable resource into the malicious samples so as to execute the installer when malware is run.
“When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways,” the researchers said.
“Although less sophisticated, the aggregate effect of these techniques could lead to a bigger combined impact than more complex but less voluminous attacks.”