Malware analysis

Malware spotlight: Droppers

Greg Belding
January 30, 2020 by
Greg Belding

There’s a cloud of confusion around droppers. Often seen as a sort of helper program in a cyberattack, droppers are actually a type of malware that plays an instrumental role. It should be considered its own type of malware because it is responsible for a number of malicious actions.

This article will explore the dropper type of malware and examine what droppers are, how droppers spread, how droppers work, persistent versus non-persistent droppers the dangers of low-cost devices and other valuable information that will give you a better picture of this misunderstood malware.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

 

What is a dropper?

Droppers are a type of Trojan and are so distinct that they are their own breed. Their signature purpose is to install other malware once they are present in a system. In fact, they are named droppers because they drop malware and malware components into a compromised system. This activity is what has earned droppers the nickname “the malware that precipitates malware.” 

In order to better avoid detection, droppers do not normally save to disk on a compromised system. Instead, droppers usually delete themselves after their purpose has been fulfilled. They often perform different actions in the furtherance of the attack goal. 

How droppers spread

Droppers can be spread many ways. Some are obvious and easy to avoid — such as an attachment to spam emails, for example. Other methods of spreading droppers, such as drive-by downloads, are quite stealthy and invite droppers into a system by merely visiting an infected website. 

The most common ways droppers are spread include:

  • Visiting malicious websites
  • Clicking malicious links
  • Spam email attachments
  • Inserting infected removable media
  • Using an infected internet proxy
  • Downloading infected freeware

Droppers may also be spread by infected apps — even that widely-used, seemingly legitimate app you downloaded last night. Researchers recently discovered that CamScanner, a popular Android app with over 100 million downloads, has had a dropper hidden within it for some time.

How do droppers work?

No two droppers are the same. Some droppers operate as stand-alone programs and some are part of a greater malware package, often as part of a malware family that offers a one-stop-shop approach to cyberattacks. 

Despite this diversity of form and function, most droppers have the following abilities in common.

Installer

This first ability that droppers have in common is the installer. Droppers will download malware (or its components), decompress the malware or modules and then install them. This activity does not cause damage to the system per se, but it sets up the malware that causes this damage. If malware was tried in a court of law, droppers would be accomplices at best and co-conspirators at worst. 

Avoiding detection

The second ability that nearly all droppers have is the ability to avoid detection. Nothing would frustrate an attack campaign more than gaining a proverbial beachhead in an infected system only to be detected once the dropper begins downloading and installing malware. 

One way that droppers can avoid detection is to create a lot of noise around a malicious module trying to hide from detection. This noise can be created by downloading and decompressing harmless, unrelated files.

Common dropper behavior

Aside from the abilities listed above, droppers have been observed to exhibit the following behavior that sets it apart from other types of malware.

  • Searching for available security controls — including firewalls, anti-malware/antivirus, IPS and so forth
  • Connects to unknown, suspicious websites
  • Attempts to anonymize or hide connections with sites
  • Connects to sites in strange places, including parts of the world known for higher-than-normal threat actor activity
  • Downloads other files and programs, especially those that are malicious
  • Executes unknown or anomalous files and programs
  • Deletion of itself after performing the actions above

Non-persistent versus persistent droppers

When writing an article, you would normally list the affirmative before the negative. In this situation, however, the header above is quite appropriate. There’s a world of difference between these two types of droppers, enough to make one kind nothing more than an annoyance and the other an absolute nightmare.

Non-persistent droppers are the most common type of dropper and the least harmful. After their malware payload has been dropped, they simply delete themselves and never appear again. This is the type that has earned droppers their servo-mechanism reputation.

Persistent droppers are far more dangerous and are what qualifies droppers to be considered their own malware. With this type, the dropper attaches itself to some hidden, random file and creates registry keys instead of deleting itself. These registry keys are used to run the compromised system after it is restarted so the malware or malicious modules can be downloaded again. This makes removal much more difficult because both the hidden file and created keys must be found and removed in order to remove the dropper.

The danger of low-cost devices

Nothing in life is free (or sometimes even cheap). You know that off-brand Android phone you bought to use as a test device (or handheld tablet)? Chances are that it’s infected with a dropper or ten.

It turns out that the same CamScanner app dropper was found to be on over 100 low-cost Android devices. This means that unless you can find and remove this dropper, your low-cost Android device may be downloading and installing malicious modules on your phone all day long.

Conclusion

Droppers are a well-known type of malware that has been around since the early days of Trojans. They download, decompress, and install malware onto a compromised system only to dig into the compromised system by attaching itself to a hidden file or deleting itself. 

Malware researchers sometimes categorize droppers as merely a part of Trojans. But when their importance in attack campaigns and their independent nature of persistent droppers are taken into consideration, droppers should be considered their own type of malware altogether.

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.