According to a report by VirusTotal, hackers are increasingly infecting popular apps like Alexa, Adobe Acrobat, VLC, Discord or Skype to spread malware. More than ever, distrust prevails.
VirusTotal, the online malware analysis service – which is owned by Google – has just published a report entitled Deception at Scale: How Malware Abuses Trust (literally, Deception at Scale: How Malware Abuses Trust) on the techniques used by hackers to distribute viruses and other malicious software by abusing the trust of users vis- with respect to certain well-known applications. And if hackers use several approaches, the principle is always the same: based on human vulnerability to encourage victims to disclose private information by bypassing the various defense systems in place. And the most impressive thing is that these “evil geniuses” do not hesitate to rely on very popular applications, which anyone is likely to download and use without suspicion…
Malware that uses reputable software
VirusTotal is a threat detection tool that, through its own dedicated search engine for malware samples, domains, and hacker behavior patterns, inspects items with over 70 antivirus scanners and URL/domain blocking services. All you have to do is select a file on your computer or enter a URL using your browser and send it to the firm. It also recently unveiled a report on the state of malware threats – it is essential to know as well as possible how attacks work in order to be able to counter them. And the conclusion is rather disturbing.
The most effective hacking technique is to hide a piece of malicious code in updates or other installation packages of legitimate software, taking advantage of users’ trust in the reputation of the software – no one would think of getting infected by downloading Facebook, for example. In addition, the software’s billions of users are all potential prey. For example, VirusTotal discovered that 10% of the top 1,000 Alexa domains, Amazon’s voice assistant, spread some 2.5 million suspicious files.
Skype, Adobe Acrobat and Discord infected
Several techniques are used. The most common – and on the rise – is to visually imitate legitimate applications. The software icon is by the way “an essential feature” to convince users that the programs they download are legitimate and harmless. And it is Skype that comes out on top of the software most used by hackers to carry out hacking campaigns. Next come Adobe Acrobat – which allows you to read PDFs – and VLC – the very popular French media player, CCleaner, WhatsApp, Steam, Zoom, web browsers like Chrome and Firefox, and, even more ironically, Malwarebytes, the famous security tool intended precisely for to detect malicious software…
Another technique often used is the theft of legitimate code signing certificates from software manufacturers, which are then used to sign the malware. A signing certificate is a digital certificate which contains certain information enabling an organization to be identified, and which has been issued by a Certification Authority. It gives access to the most privileged areas of the operating system and can disable security products. The malware analysis service said it had found more than a million malicious samples since January 2021, 87% of which had a legitimate signature when first uploaded to its database. The security measure was therefore bypassed.
A third method, although more sophisticated this time, is to embed the legitimate installer as a portable executable (PE) resource within the malware. The installer is therefore executed when the malware is executed, giving the illusion that the software is working as expected. Finally, we must also pay attention to the instant messaging software Discord, which has several vulnerabilities in its Content Delivery Network (CDN), – computers networked through the Internet to facilitate the rapid distribution of content on the Internet – images, videos, HTML pages, etc. – and is therefore likely to harbor malware.