VirusTotal Reveals Most Impersonated Software in Malware Attacks

Threat actors are mimicking legitimate applications like Skype, Adobe Reader, and LC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.

Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis of VirusTotal has revealed.

“One of the simplest social engineering tricks we’ve seen involving making a malware sample seem a legitimate program,” VirusTotal said in a Tuesday report. “The icon of these programs is a critical feature used to convince that these programs are legitimate victims.”

It’s no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables.

This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the top abused domains are discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com.

In total, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa’s top 1,000 websites have been detected.

The misuse of Discord has been well-documented, what with the platform’s content delivery network (CDN) becoming a fertile ground for hosting malware Telegram, while also offering alongside a “perfect communications hub for attackers.”

Another oft-used technique is the practice of signing malware with valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.

VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

Such a distribution method can also result in a supply chain when attackers manage to break into a legitimate software’s update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of trojanized binaries.

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files, in one case including the legitimate Proton VPN installer and malware that installs the Jigsaw ransomware.

That’s not all. A third method, albeit more sophisticated, entails incorporating the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run so as to give an illusion that the software is working as intended.

“When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways,” the researchers said.