Malicious attackers are increasingly mimicking legitimate apps as a way to abuse trusted relationships and increase the likelihood of a successful social engineering attack.

According to analysis from VirusTotal, some of the most impersonated apps include Skype, Adobe Reader, VLC Player, 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp.

“One of the simplest social engineering tricks we’ve seen involved making a malware sample seem like a legitimate program,” VirusTotal said in a report. “The icon of these programs is a critical feature used to convince victims that these programs are legitimate.”

It should not surprise anyone that attackers use a variety of approaches to compromise endpoints by tricking users into downloading and running what seems to be innocuous executables.

This is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the most abused domains include Discord, Squarespace, Amazon AWS and Mediafire to name a few.

The misuse of Discord has been well-documented. The platform’s content network delivery was a popular location for hosting malware alongside Telegram, while also offering a “perfect communications hub for attackers.”

Another technique that is used quite often is signing malware with valid certificates stolen from other software makers. VirusTotal said it found more than one million malicious samples since January 2021, in which 87% of them had a legitimate signature when they were first uploaded to the database.

VirusTotal said they also uncovered 1,816 samples since January 2020 that disguised themselves as legitimate software by packaging the malware in installers for software like Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox and Proton VPN.

This kind of distribution method can also result in a supply chain attack when adversaries manage to break into a legitimate software’s update server or gain unauthorized access to source code, making it possible to sneak malware in the form of trojanized binaries.

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files too.

A third method, which is more sophisticated, incorporates the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run – thus giving it the illusion that the software is working as intended.

“When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways,” the researchers said.

Story via The Hacker News