Malware Loaders & Droppers
Malware loaders or droppers are Trojans that gain initial access, establish persistence to support additional intrusion activities, and deploy next-stage malware (including ransomware). They can deploy, and be deployed by, other malware, including each other. They’re usually scripts or small applications. Common loaders are Qakbot, IcedID, Emotet, Trickbot, and Bumblebee.
Note: Some use the terms loader (or downloader) and dropper interchangeably (Cyware, Heimdal Security, ThreatPost), while others use different definitions. For example, some define droppers as including payloads, while loaders download payloads from an external source (Flashpoint). Others define these terms the opposite way (Cisco). There doesn’t seem to be an industry-wide consensus. In this post, I use the terms interchangeably.
Loaders are commonly delivered by infected email, as attachments or links. They can also be delivered via infected websites, removable media, Internet proxies, and software.
In the past, loaders commonly entered systems via malicious Microsoft Office macros, but since Microsoft has improved Office security, loaders now enter via other methods. They can be in malicious ISO (disk image) files which contain other files (such as ZIP and LNK files). They can be in malicious ZIP files which contain other files (such as ISO, LNK, and DLL files). They can be linked to by malicious LNK (shortcut) files. They can also be in malicious HTML files containing JavaScript and a DLL.
Loaders can use commercial tools (e.g., Cobalt Strike, Brute Ratel) or LOLBins (living-off-the-land binaries) (e.g., PowerShell, regsvr32.exe, rundll32.exe, curl.exe, calc.exe).
Loaders can form botnets, deliver secondary payloads, exfiltrate data, perform browser hooking, establish AiTM (adversary-in-the-middle) proxies, establish remote control via VNC, search for security measures (firewalls, antimalware, UAC, etc.), and connect to C2 servers.
To avoid detection, loaders often don’t save to disk, and delete themselves once they’ve loaded other malware. They also commonly create “noise” on a system by downloading and decompressing unrelated files. They may place images or videos on an infected system, to distract from their true purposes.
Loaders can be persistent or non-persistent. Non-persistent loaders, the more common type, delete themselves once they’ve loaded other malware. Persistent loaders attach themselves to a hidden file and create registry keys that allow the loader to run again after a system reboot.
TTPs associated with loaders include phishing, malspam, social engineering, vulnerability exploitation, data theft (of financial data and credentials), and worm-like propagation.
