Shedding Light on the Targeted Victim Profiles of Malicious Downloaders

TL;DR

This study investigates how machine profiles influence the targeting behavior of malicious downloaders, revealing that certain features like browser profiles and OS configurations significantly affect malware infection rates.

Contribution

It introduces a large-scale automated framework using VMs and changepoint analysis to link machine characteristics with malware targeting, a novel approach in malware research.

Findings

Different machine features impact malware infection rates.

Browser profiles and OS configurations influence malware targeting.

Certain keyboard layouts reduce infections of specific malware families.

Abstract

Malware affects millions of users worldwide, impacting the daily lives of many people as well as businesses. Malware infections are increasing in complexity and unfold over a number of stages. A malicious downloader often acts as the starting point as it fingerprints the victim's machine and downloads one or more additional malware payloads. Although previous research was conducted on these malicious downloaders and their Pay-Per-Install networks, limited work has investigated how the profile of the victim machine, e.g., its characteristics and software configuration, affect the targeting choice of cybercriminals. In this paper, we operate a large-scale investigation of the relation between the machine profile and the payload downloaded by droppers, through 151,189 executions of malware downloaders over a period of 12 months. We build a fully automated framework which uses Virtual Machines (VMs) in sandboxes to build custom user and machine profiles to test our malicious samples. We then use changepoint analysis to model the behavior of different downloader families, and perform analyses of variance (ANOVA) on the ratio of infections per profile. With this, we identify which machine profile is targeted by cybercriminals at different points in time. Our results show that a number of downloaders present different behaviors depending on a number of features of a machine. Notably, a higher number of infections for specific malware families were observed when using different browser profiles, keyboard layouts and operating systems, while one keyboard layout obtained fewer infections of a specific malware family. Our findings bring light to the importance of the features of a machine running malicious downloader software, particularly for malware research.