Hackers and cybercriminals are now getting more creative when attacking their targets. One method that has recently been widely used is by inserting malware in bogus applications disguised as popular applications.
Security researchers from VirusTotal recently released a list of apps that cybercriminals often use to search for victims. This method was chosen to deceive users' trust and increase the chances of a successful social engineering attack.
Some of the most widely imitated popular apps include Skype, Adobe Reader, VLC Player, 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp.
"One of the simplest social engineering tricks we've seen involves making malware samples look like real programs," VirusTotal said in its report, as quoted by The Hacker News, Sunday (7/8/2022).
"The icons for these programs are a key feature used to convince victims that these programs are genuine."
To further convince the target that they are downloading a harmless application, these cybercriminals also use real domains to bypass IP-based firewalls. Some of the most abused domains include discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com.
In total, 2.5 million suspicious files downloaded from 101 domains that are included in Alexa's list of the top 1,000 websites have been detected.
Several popular platforms are also abused to spread malware. Two of them are Discord and Telegram, which are places for hosting malware as well as a means of communication for cybercriminals.
Since January 2020, VirusTotal also found 1,816 malware samples that disguised themselves as genuine applications by packaging malware in popular software installers such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.
In addition, there are also application installers that are packaged in the form of files that are compressed with files that have been inserted with malware. One example is the original Proton VPN installer that was found with the malware that installed the Jigsaw ransomware.
Another method used by cybercriminals is to incorporate the original installer as a 'portable executable resource' into a malicious sample. So the installer will be executed when the malware is running and create the illusion that the app is working properly.