Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack.

攻击者越来越多地模仿 Skype、Adobe Reader 和 VLC Player 等应用程序来滥用用户的信任来增加社会工程攻击成功的可能性。

Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed.

VirusTotal 的一项分析显示，其他大多数通过图标模拟的合法应用程序包括 7-Zip、TeamViewer、CCleaner、Microsoft Edge、Steam、Zoom 和 WhatsApp。

"One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal said in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate."

VirusTotal在周二的一份报告中说：“我们见过的最简单的社会工程技巧之一就是让恶意软件样本看起来是合法的程序。这些程序的图标是用来说服受害者这些程序是合法的一个关键作用。”

It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables.

毫不奇怪，攻击者采用各种方法通过诱使不知情的用户下载和运行看似无害的可执行文件来破坏客户端。

This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses. Some of the top abused domains are discordapp[.]com, squarespace[.]com, amazonaws[.]com, mediafire[.]com, and qq[.]com.

反过来，这主要是利用真正的域来绕过基于 IP 的防火墙防御来实现的。一些最常被滥用的域名是 discordapp[.]com、squarespace[.]com、amazonaws[.]com、mediafire[.]com 和 qq[.]com。

In total, no fewer than 2.5 million suspicious files downloaded from 101 domains belonging to Alexa's top 1,000 websites have been detected.

总共检测到不少于 250 万个从属于 Alexa 前 1000 个网站的 101 个域下载的可疑文件。

The misuse of Discord has been well-documented, what with the platform's content delivery network (CDN) becoming a fertile ground for hosting malware alongside Telegram, while also offering a "perfect communications hub for attackers."

Discord 的滥用已得到充分证明，该平台的内容交付网络 (CDN) 成为与 Telegram 一起托管恶意软件的沃土，同时还为“攻击者提供了完美的通信中心”。

Another oft-used technique is the practice of signing malware with valid certificates stolen from other software makers. The malware scanning service said it found more than one million malicious samples since January 2021, out of which 87% had a legitimate signature when they were first uploaded to its database.

另一种经常使用的技术是使用从其他软件制造商那里窃取的有效证书对恶意软件进行签名的做法。该恶意软件扫描服务表示，自 2021 年 1 月以来，它发现了超过一百万个恶意样本，其中 87% 的恶意样本在首次上传到其数据库时具有合法签名。

VirusTotal said it also uncovered 1,816 samples since January 2020 that masqueraded as legitimate software by packaging the malware in installers for other popular software such as Google Chrome, Malwarebytes, Zoom, Brave, Mozilla Firefox, and Proton VPN.

VirusTotal 表示，自 2020 年 1 月以来，它还发现了 1,816 个样本，这些样本通过将恶意软件打包在其他流行软件（如 Google Chrome、Malwarebytes、Zoom、Brave、Mozilla Firefox 和 Proton VPN）的安装程序中，伪装成合法软件。

Such a distribution method can also result in a supply chain when attackers manage to break into a legitimate software's update server or gain unauthorized access to the source code, making it possible to sneak the malware in the form of trojanized binaries.

当攻击者设法闯入合法软件的更新服务器或未经授权访问源代码时，这种分发方法也可能导致供应链，从而有可能以木马二进制文件的形式潜入恶意软件。

Alternatively, legitimate installers are being packed in compressed files along with malware-laced files, in one case including the legitimate Proton VPN installer and malware that installs the Jigsaw ransomware.

或者，合法的安装程序与带有恶意软件的文件一起打包在压缩文件中，在一种情况下，包括合法的 Proton VPN 安装程序和安装 Jigsaw 勒索软件的恶意软件。

That's not all. A third method, albeit more sophisticated, entails incorporating the legitimate installer as a portable executable resource into the malicious sample so that the installer is also executed when the malware is run so as to give an illusion that the software is working as intended.

那不是全部。第三种方法虽然更复杂，但需要将合法安装程序作为可移植可执行资源合并到恶意样本中，以便在运行恶意软件时也执行安装程序，从而产生软件按预期工作的错觉。

"When thinking about these techniques as a whole, one could conclude that there are both opportunistic factors for the attackers to abuse (like stolen certificates) in the short and mid term, and routinely (most likely) automated procedures where attackers aim to visually replicate applications in different ways," the researchers said.

研究人员说：“当把这些技术作为一个整体考虑时，可以得出结论，攻击者在短期和中期滥用（如被盗证书）既有机会主义因素，也有惯常的（最有可能的）自动化过程，攻击者的目标是以不同的方式直观地复制应用程序。”

知其雄，守其雌，为天下溪；知其白，守其黑，为天下式，知其荣，守其辱，为天下谷。

——《道德经.第二十八章》

本文翻译自：

https://thehackernews.com/2022/08/virustotal-reveals-most-impersonated.html

如若转载，请注明原文地址

翻译水平有限 :(

有歧义的地方，请以原文为准 ：）