A downloader (often referred to as a loader or Stage 1) is a form of malware that is designed to download content from a remote resource to an already-compromised system. The downloader, which often originate from phishing emails, is typically designed to be a simple tool that will not trigger detection from threat protection or threat detection engines, and can be used to, as the name implies, download, and execute additional malicious payloads.
Downloaders may employ basic defense evasion by performing checks to determine if it is being monitored or executed from within a virtual environment (which may indicate analysis tools). If any of the checks comes back positive – indicating the downloader process may be monitored – it typically will terminate the process and carry out no further activity.
If the downloader, on the other hand, believes it remains undetected it will typically download and execute its payloads. Some downloaders may establish persistence on the system and be used to load additional payloads a later date.
Famous Downloaders
One of the most infamous downloaders is Emotet. While Emotet was originally designed to function as a banking trojan and credential stealer, in 2017 the malware was repurposed to act as a downloader for other payloads. Since then, it has been used to download a variety of other payloads including:
- Trickbot
- Qakbot
- Ryuk
- SmokeLoader
- CONTI
- Cobalt Strike
- Dridex
Downloaders vs Droppers
One common confusion when discussing malware is the distinction between a downloader and dropper. A downloader, as the name implies, is used to download content from a remote resource, which represents a lesser threat of detection to adversaries, at the expense of network connections (which can aid attribution). This is because downloaders will attempt defense detection and evasion techniques before they execute. If the downloader detects suspicious behavior it will not download its payload, preventing reverse engineers from getting access to the real payload.
A dropper serves a similar function to a downloader in that its objective is to load a secondary payload while remaining undetected. With that being said, the difference lies in the fact that a dropper’s executable typically contains the payload it intends to execute, usually encrypted. This means that a dropper doesn’t require additional network activity to accomplish its objective, but it does make the dropper executable susceptible to interrogation by debuggers used by security researchers and reverse engineers.
