What is a dropper?

Being utilities, droppers take care of rebooting and installing the malware itself. Cybercriminals, such as spammers, use droppers to bypass anti-malware signatures.

Security tools use signatures to try to block or quarantine malicious code. It is much easier for attackers to modify or replace a dropper if its signature is discovered than to rewrite the basis of the actual malicious code.

Droppers, like Trojans, come in permanent and non-persistent varieties. Non-persistent droppers do their job: install malware on the victim's system and then automatically remove themselves.

Persistent droppers copy themselves into a hidden file and remain there until they complete their intended task. Droppers can enter victims' systems in a variety of ways:

- Through a prepared email attachment.

- As an incidental download through a prepared website.

- Via the link in the prepared letter or on the website.

- Or through prepared removable media, such as a USB drive.

Sometimes droppers are hidden in free utilities such as ad blockers to make them harder for antivirus software to detect. When running a free tool, the dropper first downloads and installs malware and then unpacks and installs the legitimate tool.

Droppers cannot be associated with file extensions, making them difficult to detect. They behave similarly to Trojan horses and are often used in spear phishing attacks. Although droppers are traditional programs themselves, their capabilities are usually offered as part of a malware package.

Dropper protection

The US Cybersecurity and Infrastructure Security Agency (CISA) recommends that users and administrators take the following steps to improve protection against droppers:

- Email attachments that cannot be verified by security software should be blocked.

- Security strategy based on a zero trust model.

- Implement the principle of minimal distribution of rights.

- Implement network segmentation to segment and separate networks and functions.

Mainton Company - custom software development and testing, DevOps and SRE, SEO and online advertising since 2004.