Skip to main content

Hackers increasingly relying on dropper-as-a-service platforms to distribute malware

Trojan
(Image credit: wk1003mike / Shutterstock)

Malware authors are increasingly relying on dropper-as-a-service (DaaS) platforms to distribute their malicious creations, according to cybersecurity researchers.

In its latest research, Sophos has shared details about the growth of such DaaS platforms that infect victims who frequent piracy websites looking for cracked versions of popular business and consumer applications.

“During our recent investigation into an ongoing Raccoon Stealer (an information stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages,” Sophos researchers Sean Gallagher, Yusuf Polat shared in a joint blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The researchers note that these DaaS often bundle multiple unrelated malware together in a single dropper, and have been observed to include click-fraud bots, information stealers, and even ransomware.

Profitable underground

The researchers note that the Raccoon Stealer campaign wasn’t the only one that relied on DaaS. Even after that particular campaign ended Sophos continued to see more malware and other malicious content distributed through the same network of sites.

“We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products,” note the researchers.

As they investigated the networks behind the sites themselves, Sophos made a couple of interesting observations. 

For starters, since the dynamic delivery network acts as an intermediary between the bait sites and the download sites, the same infected cracked product download page can deliver multiple malicious campaigns at the same time. 

On top of that it can also switch from one deliverable download to another in case the malware distributing customer has exhausted their delivery credits.

“A few hundred US dollars worth of cryptocurrency can buy a malware actor hundreds or thousands of downloads—though the price goes up if there’s a specific geographic targeting desired,” explain the researchers, adding that DaaS will continue to thrive since it’s profitable for everyone involved.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.