Malware (opens in new tab) authors are increasingly relying on dropper-as-a-service (DaaS) platforms to distribute their malicious creations, according to cybersecurity (opens in new tab) researchers.
In its latest research, Sophos (opens in new tab) has shared details about the growth of such DaaS platforms that infect victims who frequent piracy websites looking for cracked versions of popular business and consumer applications.
“During our recent investigation into an ongoing Raccoon Stealer (an information stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages,” Sophos researchers Sean Gallagher, Yusuf Polat shared in a joint blog post (opens in new tab).
- These are the best endpoint protection tools (opens in new tab)
- Check our list of the best firewall apps and services (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
The researchers note that these DaaS often bundle multiple unrelated malware together in a single dropper, and have been observed to include click-fraud bots, information stealers, and even ransomware (opens in new tab).
Profitable underground
The researchers note that the Raccoon Stealer campaign wasn’t the only one that relied on DaaS. Even after that particular campaign ended Sophos continued to see more malware and other malicious content distributed through the same network of sites.
“We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization (opens in new tab) to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products,” note the researchers.
As they investigated the networks behind the sites themselves, Sophos made a couple of interesting observations.
For starters, since the dynamic delivery network acts as an intermediary between the bait sites and the download sites, the same infected cracked product download page can deliver multiple malicious campaigns at the same time.
On top of that it can also switch from one deliverable download to another in case the malware distributing customer has exhausted their delivery credits.
“A few hundred US dollars worth of cryptocurrency (opens in new tab) can buy a malware actor hundreds or thousands of downloads—though the price goes up if there’s a specific geographic targeting desired,” explain the researchers, adding that DaaS will continue to thrive since it’s profitable for everyone involved.
- Protect your devices with these best antivirus software (opens in new tab)