What is Dropper Malware?
Droppers are a type of Trojan that installs other malware once it is present in a system. They are named droppers because they ‘drop’ malware and malware components into an already-compromised system. A dropper’s payload often contains more Trojans. Some droppers contain a single malicious program, but many contain multiple malware tools that may serve many different purposes and may even originate from different hacker groups. Droppers are known to carry Trojans that would normally be blocked by a target device’s security features, but the dropper evades malware detection during the downloading stage and neutralizes the system defenses prior to payload installation. Droppers come in many forms, but most have these common capabilities:
Installers. Droppers will download malware or malware components, decompress the malware or modules, and will then install them. While this activity does not cause damage on its own, it sets up the malware to subsequently cause damage.
Detection avoidance. Droppers use different methods for avoiding detection such as deleting itself once its purpose has been fulfilled or creating noise around the malicious module to conceal it, such as downloading and decompressing many harmless, unrelated files.
Common dropper behaviors include1:
- Connecting to unknown, suspicious websites
- Attempting to anonymize or hide connections with websites
- Connecting to websites in unusual locations, such as countries knows for having higher rates of threat actor activity
- Downloading other files and programs, especially malicious files and programs
- Executing unknown or anomalous files and programs
- Searching for available security controls including firewalls, IPS, antivirus/antimalware software
- Deleting itself after completing its tasks
Dropper types can be persistent droppers that copy themselves to hidden files where they can reinstall themselves if removed, or nonpersistent droppers that uninstall themselves from the infected device upon payload installation. Persistent droppers are more dangerous than nonpersistent droppers, as they attach themselves to hidden files and create registry keys that can be used to run the compromised system after restart, allowing the malware or malicious modules to be re-downloaded. In order to remove persistent droppers, the keys and hidden files must be found and removed.
The following tips can help prevent droppers:
- Do not click on suspicious links
- Do not open suspicious email attachments
- Be wary of removeable media such as USB drives
- Do not download freeware or pirated software
- Do not connect to the internet through an unsecured proxy server
- Confirm the authenticity of apps that you download
- Be wary of low-cost devices
1 Belding, 2020, “Malware spotlight: Droppers”