- Threat actors are abusing legitimate domains to launch malicious attacks by installing malware, according to research from VirusTotal.
- Embedding malware into installation packages with legitimate software is one of the most effective means of using social engineering to conduct such attacks, according to researchers. There has been a growing trend in the amount of malware that mimics legitimate applications, such as Skype, Adobe Acrobat and VLC, which represent the top three most-abused.
- Out of more than one million signed malicious samples uploaded to VirusTotal since January 2021, 87% of those samples have valid signatures, according to the report.
The report highlights how attackers hide malware behind legitimate applications in order to trick users into installing what instead contains malicious files.
Researchers said they found at least 2.5 million suspicious files — detected by at least five different antivirus programs — from the top 1,000 Alexa domains.
Attackers are using trusted applications as bait to lure potential victims, according to Vicente Diaz, security engineer at VirusTotal, a unit of Google Cloud.
“In some cases, such as supply chain attacks, attackers can steal or compromise legitimate infrastructure, source code or certificates used to sign legitimate applications,” Diaz said via email.
The report analyzes a softer version of this type of activity, “where attackers simply impersonate — using different techniques — legitimate applications or infrastructure in order to increase their success when targeting a victim,” he said.
For example, 10% of the top Alexa domains have previously distributed malicious samples.
In addition, 0.1% of legitimate hosts for widely used applications have distributed malware.