Adversaries are constantly finding new ways to infect systems and are willing to use any means necessary. For years, malware distributors leveraged malware distribution frameworks like exploit kits and traffic distribution systems to spread their malware. Adversaries are continuously experimenting with different mixtures of scripting and programming languages in an attempt to maximize their effectiveness in successfully infecting victims and to make analysis much more difficult.
Over the past year we have observed a significant increase in the volume and variety of malware loaders being distributed worldwide. Rather than leveraging malvertising and extensive TDS infrastructure, adversaries are now distributing loaders and creating new botnets that can be monetized to perform the spread of malware payloads for criminals seeking to deploy RATs, stealers, and banking trojans. This new generation of malware loaders features increased obfuscation, modularization, and maximum flexibility for the operators of these botnets. This talk will describe this recent shift in malware distribution, how these loaders are being leveraged, and how obfuscation and multi-stage delivery is being used to maximize efficiency and evade detection. We will also cover techniques for hunting these loaders in corporate environment and ways to more easily analyze them.