VirusTotal Reveals List of Most Mimicked Legitimate Apps in Malware Attacks

The cybersecurity analysts at VirusTotal recently discovered that an increasing number of threats are being used to mask legitimate applications with fake versions.

In order to perpetrate social engineering attacks successfully, threat actors mimic the legit applications to achieve their goal.

Based on findings from VirusTotal, cybercriminals are able to exploit users’ trust by deploying a variety of methods to deceive them into downloading malicious applications.

A popular method for delivering malware is to mimic legitimate applications to present them as legitimate ones. Using this technique, the victim is convinced to use the mimicked app after being persuaded of its authenticity by its icon.

This new malicious strategy is primarily designed to circumvent the barriers of security solutions. There has been an increase in the number of suspicious samples since 2021, according to reports.

Distributing Malware via Legitimate Domains

In addition to using social engineering techniques to hide malware, one of the most effective social engineering tactics is to pack the malware with legitimate software in order to disguise it as an installation package. 

When attackers gain access to the source code, server, or certificates for the official distribution, this will become a supply chain attack. VirusTotal has verified that all of the files submitted to them are from well-known legitimate domains. 

Over 5% of the antivirus applications that were tested detected 78 files as potentially malicious out of approximately 80,000 unique files.

A total of 10% of the top 1,000 domains according to Alexa had suspicious samples distributed across their websites. These domains were used to download more than 2 million shady files.

Apps Mimicked and Abused

Here below we have mentioned all the applications that are mimicked and abused by the threat actors:-

• Skype (Mimicked 28%)
• Adobe Reader (Mimicked 18.2%)
• VLC Player (Mimicked 17.6%)
• 7zip (Mimicked 11.5%)
• TeamViewer (Mimicked 7.5%)
• CCleaner (Mimicked 5.6%)
• Microsoft Edge (Mimicked 2.5%)
• Steam (Mimicked 2.3%)
• Zoom (Mimicked 1.8%)
• WhatsApp (Mimicked 0.8%)

Domains Used to Distribute Malware

Here below we have mentioned all the legit and top-ranking domains that are abused by the threat actors to distribute the malware:-

• hxxps://cdn[.]discordapp[.]com
• hxxp://aaaenterprises[.]co
• hxxps://bit[.]ly
• hxxps://updatebrowser[.]org
• hxxps://anonymousfiles[.]io
• hxxp://192.210.173[.]40
• hxxps://uc1a9ed2ac0662c4ccfe1b1ab0b5.dl.dropboxusercontent[.]com
• hxxp://192.227.158[.]110
• hxxp://69.64.43[.]224
• hxxp://103.249.34[.]183

There were 1,816 samples found through VirusTotal since January 2020 that were mimicking legit software, and the malware remained hidden in popular software installation packages such as the following:-

• Zoom
• Google Chrome
• Proton VPN
• Brave
• Mozilla Firefox

To identify the methods malware uses to increase its effectiveness, it is essential to understand the techniques used to do so. By analyzing the data, future campaigns can be monitored and understood more actively.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.