Cybercriminals have certain applications that they like more than others to trick us. According to the latest study by VirusTotal, owned by Google, Skype, Adobe Reader and VLC Player are now your favorite programs: they imitate them and thus gain the trust of users to carry out an attack.
In addition, according to the experts, it is even simple: “one of the simplest social engineering tricks we have seen is in making a malware sample look like a legitimate programVirusTotal said in its report. “The icon of these programs is actually a critical feature used to convince victims that these programs are legitimate.”
VirusTotal said it also discovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware into installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox and Proton VPN.
Ransomware: what it is, how it infects and how to protect yourself
Legitimate app hosts distribute malware
Another interesting fact is that it is estimated that 0.1% of legitimate hosts of popular applications have distributed malware. This is primarily achieved by leveraging genuine domains in an attempt to bypass IP-based firewall defenses. Some of the most abused domains are discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com and qq[.]com.
In addition, 2.5 million suspicious files have been detected downloaded from 101 domains belonging to the top 1,000 Alexa websites. This translates to “10% of the top 1,000 Alexa domains having distributed suspicious samples.”
In addition, they remember from The Hacker News that the improper use of Discord has been well documented, since the platform’s content delivery network (CDN) has become a fertile ground for hosting malware along with Telegram.
Another widely used technique is the practice of signing malware with valid certificates stolen from other software vendors. The malware scanning service said it found more than a million malicious samples since January 2021, of which 87% had a legitimate signature when they were first uploaded to your database.