A dropper (sometimes referred to as Stage 1 or erroneously as a “loader”) is a type of malware that is purposefully engineered to store, obfuscate (typically though encryption), and then deobfuscate/unencrypt, and then “drop” its payload onto a compromised system. Droppers tend to be more complex programs than downloaders as droppers must be entirely self-contained, whereas a downloader will leverage network connectivity to download its payloads.
Droppers typically perform discovery and defense evasion to determine more information about its running environment before it decrypts and drops its payload. Reconnaissance could involve checking available RAM, processors, and the presence of specific files or suspicious processes (like threat detection or protection systems). Defense evasion could check the native language of the operating system or the keyboard mapping (amongst many others).
Once the downloader is satisfied that it is not being analyzed, it will then typically deobfuscate or decrypt its payload, and drop it onto the system. From there, the dropper will be used to execute the payload. Unlike downloaders, once a dropper has completed its job, it will typically go dormant or remove itself. This is because droppers can’t typically be reused.
- EnvyScout Dropper
- 8.t Dropper
- El Machete APT Backdoor Dropper
Droppers vs Downloaders
One common confusion when discussing malware is the distinction between a dropper and downloader. A dropper is a self-contained application that, as its name implies, is used to drop a payload on a system without the use of external resources (such as a network connection). To do this it will employ a variety of tactics including encryption to prevent static and dynamic analysis.
A downloader, as the name implies, is used to download content from a remote resource, which represents a lesser threat of detection to adversaries, at the expense of network connections (which can aid attribution). This is because downloaders will attempt defense detection and evasion techniques before they execute. If the downloader detects suspicious behavior it will not download its payload, preventing reverse engineers from getting access to the real payload.