Trojan-Dropper is  Software that injects Trojans, viruses, worms and other malware into a computer. When run, it typically decompresses the malware components hidden within the dropper file and executes them, sometimes without saving them on disk to avoid detection. The dropper is Malwarebytes’ generic detection name for trojans that drop additional malware on an affected system.

Type and source of infection

Downloaders and droppers are helper programs for various types of malware such as Trojans and rootkits. Usually, they are implemented as scripts (VB, batch) or small applications. They don’t carry any malicious activities by themselves but instead, open a way for an attack by downloading/decompressing and installing the core malicious modules. To avoid detection, a dropper may also create noise around the malicious module by downloading/decompressing some harmless files.

Downloaders often appear in the non-persistent form. They install the malicious module and remove themselves automatically. In such a case, after a single deployment, they are no longer a threat. If for some reason they haven’t removed themselves, they can be deleted manually. More dangerous variants are persistent. They copy themselves to some random, hidden file and create registry keys to run after the system is restarted, attempting to download the malicious modules again. In such cases, to get rid of the downloader it is necessary to find and remove the created keys and the hidden file.

Downloaders and droppers emerged from the idea of malware files that we’re able to download additional modules (e.g. Agobot, released in 2002). An interesting example of a modern downloader is OnionDuke (discovered in 2014), carried by infected Tor nodes. It is a wrapper over legitimate software. When a user downloads software via an infected Tor proxy, OnionDuke packs the original file and adds a malicious stub to it. When the downloaded file is run, the stub first downloads malware and installs it on a computer, and then unpacks the legitimate file and removes itself in order to be unnoticed.

Most of the time, the user gets infected by using some unauthenticated online resources. Infections are often consequences of activities like:

  • Clicking malicious links or visiting shady websites
  • Downloading unknown free programs
  • Opening attachments sent with spam
  • Plugging infected drives
  • Using Infected proxy (like in case of OnionDuke)

They may also be installed without user interaction, carried by various exploit kits.

Researchers found a Trojan-Dropper malicious module hidden within the Android app CamScanner downloaded over 100 million times by Google Play Store users. The malicious component was found by Kaspersky security researchers Igor Golovin and Anton Kivva while taking a closer look at the insides of the CamScanner app following a deluge of negative reviews posted by users over the last few months,As a confirmation to sudden increases in negative ratings and user reviews usually pointing out to something not exactly going right with an app, the researchers found “that the developer added an advertising library to it that contains a malicious dropper component.

Similar modules pre-installed on low-cost devices

This is not the first time this type of malicious module was discovered on Android smartphones, with pre-installed versions having been found on over 100 low-cost Android devices in 2018 and more than two dozen device models in 2016. In both cases, the malicious component was used by the threat actors to push ads to the infected devices, while the Android smartphones and tablets found to be compromised also installed unwanted apps behind the users’ back.

The module dubbed Necro.n and detected as Trojan-Dropper.AndroidOS.Necro.n by Kaspersky’s mobile anti-malware solution is a Trojan-Dropper, a malware strain used to download and install a Trojan-Downloader on already compromised Android devices which can be employed to infect the infected smartphones or tablets with other malware. When the CamScanner app is launched on the Android device, the Necro.n dropper decrypts and executes malicious code stored within a mutter.zip file discovered in the app’s resources.

“As a result, the owners of the module can use an infected device to their benefit in any way they see fit, from showing the victim intrusive advertising to stealing money from their mobile account by charging paid subscriptions,” found the researchers.

Executing the malicious payload

Executing the malicious payload

Google removed the app from the Play Store after Kaspersky’s researchers reported their findings but, as they also add, “it looks like app developers got rid of the malicious code with the latest update of CamScanner.”

“Keep in mind, though, that versions of the app vary for different devices, and some of them may still contain malicious code,” they conclude. The purpose of Trojan Droppers, as the name suggests, is to install malicious code on a victim’s computer. They either install another malicious program or a new version of some previously installed malware.

Trojan Droppers often carry several completely unrelated pieces of malware that may be different in behavior or even written by different coders: in effect, they’re a kind of malware bundle containing many kinds of different malicious code. They may also include a joke or hoax, to distract the victim from the real purpose of the Dropper, the background installation of malicious code, or adware or pornware programs.

Droppers are often used to carry known Trojans since it is significantly easier to write a dropper than a brand new Trojan that anti-malware programs will not be able to detect. Most droppers are written using VBS or JavaScript: they are, therefore, easy to write and can be used to perform multiple tasks.

What is Trojan-dropper: JS/Pdf Dropper and how to avoid it?

  • Trojan-dropper: JS/PdfDropper is a type of malware that infects systems. It is part of the Trojan family of malware and targets all Windows operating systems worldwide. It is distributed via corrupted email attachments, unverified freeware, and compromised websites.
  • Trojan-dropper: JS/PdfDropper virus slows down the performance of your computer, causes bad internet connection, redirects Internet searches to flawed websites, steals confidential information and shows ads on the screen. In addition, it can launch perilous programs in the background that consume all memory space.
    Being aware of the means this virus uses to infect systems is one way the user can avoid it. Users should always be certain of the origin of an email sent to them and be extra careful when installing software on their machine. Opting for custom installation allows the user the adequate document and install only verified software. Ultimately, using a well-reviewed antimalware, such as Safebytes Antimalware, is advisable in order to detect any potential threat to the user’s system.

How to identify an infection attempt

It is easy to identify an infection attempt once the user is aware of the means it spreads. As with most malware, Trojan-dropper: JS/PdfDropper also makes use of malicious email attachments, free software, shareware, nasty pop-up ads, and corrupted websites to deliver the virus onto the system. Knowing this should make it easy for a user to avoid the trouble such a virus can cause.
Did you receive an unexpected email containing an unexpected attachment? You should definitely be cautious about it. Hackers carefully construct emails that can lure the inexperienced user to open or download a corrupted attachment. We advise users to always verify the origin of the received email.
Ultimately, we advise users to make a habit out of downloading software that comes only from verified sources and practice some Internet hygiene when it comes to browsing activities. Try as much as possible to stay away from suspicious websites and from clicking any nasty pop-ups.

How does Trojan-dropper: JS/Pdf Dropper spread?

Trojan-dropper: JS/PdfDropper uses a variety of means to spread, most of them common to malware infections. It infiltrates in your PC via bundles containing freeware developed by third parties, via spam emails, infected media drives, questionable websites, malicious links, peer to peer file sharing, pirated software and/or while watching online videos.