[German]On its VirusTotal service, Google receives numerous daily submissions of files to check if they are malware. In a new report, "Deception at scale: How malware abuses trust," a team from Google has compiled findings on various techniques malware uses to bypass defenses and make social engineering attacks more effective. This should help security researchers, security professionals and the general public better understand the nature of malicious attacks.
I came across the following tweet from Catalin Cimpanu a few days ago, which addresses the issue and links to the blog post Deception at a scale, dated August 2, 2022.
The message from the above chart is that malware is increasingly trying to misuse trusted domains of software projects or companies for its own purposes.
- Ten percent of the top 1,000 Alexa domains have spread suspicious patterns.
- 0.1 percent of legitimate hosts for popular apps have spread malware.
- 87% of the more than one million signed malicious samples uploaded to VirusTotal since January 2021 have a valid signature.
- As part of a growing social engineering trend, 4,000 samples were either executed or packaged with legitimate app installers.
- The number of malicious programs that visually mimic legitimate apps has steadily increased, with Skype, Adobe Acrobat, and VLC being the top three.
- 98% of the samples that contained legitimate installers in their PE resources were malicious.
One of the most effective social engineering techniques is to hide malware in installation packages of legitimate software. This is done via supply chain attack, where the attackers gain access to the official distribution server, source code or certificates. These are exactly the cases that were probably detected on Virustotal based on submitted samples. Some of these samples were detected as malicious by the VirusTotal scanners – but the detection always lags behind the development of new malware. The details can be read in the Virustotal article – the report can be downloaded there after registration.
Cookies helps to fund this blog: Cookie settings