What Is A Downloader A Type Of Trojan That Only Downloads Malware.
A downloader is a type of Trojan whose only functionality is to download one or more computer threats, who will be in charge of carrying out the malicious actions that the cybercriminal is looking for. Although a downloader does not contain a malicious payload itself, which helps it evade detection, this malware is considered both a method of propagation and a threat due to the role it plays in the infection process, similar to what happens with dropper Trojans.
Historically, computer threats have been forced to evolve permanently, and an example of this constant evolution sought by malware developers is reflected in the behavior of some malicious code. For example, those that detect that they have been executed, but not on a victim’s machine, but on a virtual machine, which means that the malware is being analyzed, either by a malware analysis site or an analyst. And just as we found new behaviors and modifications, new threats such as downloaders emerged with this same objective .
How does a downloader work?
Trojan downloaders usually aim to reach end-user computers, being commonly hosted as programs that pose as legitimate on unofficial or third-party sites, such as the famous cracks or free downloads of paid programs.
In order to carry out their action, downloaders require user interaction. In other words, they need the file to be executed by the victim once downloaded. After this, the malware usually either executes the legitimate download of the software it was pretending to – although it may also not perform any action visible to the user – and in the background begin downloading additional files. This download can be done from any Internet site that hosts the threat that will eventually infect the victim’s computer, although it can also be sent from a command and control server owned by the attacker.
After the final threat is downloaded to the computer, the downloader modifies the compromised system’s registries so that the malware runs every time the system boots. This action in the registry carried out by the downloader is key to the operation of the threat, since it reduces the chances of a possible detection by some free antimalware products. In this way, the downloader does not raise suspicions by executing a recently downloaded file because as we said before, it does not contain a malicious payload in itself. Its role is to download a file and modify system registries so that the final threat then does its job when the computer starts up. This behavior is similar to what applications perform when they are automatically updated.
Finally, it should be clarified that a downloader is not a “dropper”. The term dropper is often confused with that of downloader because both have the same end goal: Install a threat on the victim’s device. Both are a type of Trojan, but the dropper does not download the threat from the Internet, but rather contains it embedded within itself.
Examples of recent downloaders
Generally, downloaders do not usually belong to any particular campaign or family, but rather are generic code with the only functionality of downloading the main threat. However, there are some families of this type of malware that have been prominent in recent years.
An example of this is Emotet, a threat that started out as a banking Trojan with its first appearances in 2014. Not long after, it became a rapidly spreading botnet, infecting computers with malicious email attachments, and later download other threats like Trickbot .
In turn, Trickbot also has modules with downloader characteristics, although accompanied by other functionalities that also categorize it as a banking Trojan. One of the threats that we have seen Trickbot downloaded in its role as a downlodaer is the Ryukransomware .
Both TrickBot and Emotet suffered major blows to their infrastructure: In October 2020, the former suffered the fall of more than 90% of its infrastructure as a result of an alliance of different technology and cybersecurity companies. Later, in early 2021, the botnet created by the second threat was disrupted thanks to a large investigation between companies and INTERPOL.
Another campaign that we have recently analyzed using a downloader Trojan is that of the fake cryptocurrency wallet Safemoon which, using a fake site and a Discord message as a propagation method, downloads a downloader that installs a remote access tool (RAT). ) that has features to spy on the infected computer, such as a keylogger .