In essence, a dropper is simply a piece of malware that’s designed to ‘drop’ a payload into a target system. But there’s a little more to it than that.
These days, the typical dropper software not only delivers a payload to a targeted system – it also typically will store the payload for whatever period of time, while obfuscating the payload to avoid detection, usually through encryption. The dropper code will then, usually upon command or some other prompt (timer, etc.) deobfuscate and deploy that payload.
Droppers are generally intended to be self-contained, and do not usually require any additional network or other resources to obtain or deploy its payload. With droppers, the payload is usually already contained within the dropper code. This is an ideal configuration for situations where the payload is delivered to a system via methods other than network, such as a USB drive or something similar.
Droppers a different from downloaders, in that downloaders typically install without any given payload, but instead work with a source (‘mothership’ or ‘CnC’) that provides the specific payload to the downloader on request, over a network.
Droppers also take active measures to avoid detection, usually performing recon in the target system to understand its environment prior to detection and deploying countermeasures designed to avoid detection.
Once the dropper has performed its initial recon and deployed whatever detection counter-measures it can, the dropper will usually move to decrypt, install and execute whatever payload. Once it’s completed the install, the dropper will typically either go dormant or uninstall itself. Droppers are designed to be self-contained, so once the payload is delivered, there isn’t much reason for it to stay around.
Some common droppers include:
- Httpdropper
- MailDropper
- VBDropper
- EnvyScout Dropper
- 8.t Dropper
- El Machete APT Backdoor Dropper