Dropper and Downloader : What is the difference ?

 

Malware revelations are unstoppable. Every day, month, and year, threat actors abuse legitimate software and utilities to deliver malware to random victims or targeted ones in many different ways. In addition, malware researchers use different terms for specific operations that happen during the infection process.

The most common terms used by malware researchers are dropper and downloader. Actually, there is often some misconception regarding droppers and downloaders. Sometimes, newbie malware researchers and even security researchers mix them up. In this article, we will discuss the differences between droppers and downloaders. I hope this will be helpful for both professional and beginner researchers.

First of all, what is a dropper?
A dropper is not a type of malware itself; instead, it is an operation in the malware infection chain that drops another stage of malware. The dropper chain can be multi-stage or just one or two stages, depending on the environment the malware is designed for or the developer’s methodology.

I have seen malware samples that rely on up to 8 stages, and others with only 3. Droppers can be delivered to the victim’s machine in many ways, such as:

1. evil.exe starts execution.
2. evil.exe creates a new process (powershell.exe).
3. powershell.exe, as a child process of evil.exe, downloads another executable file from the cloud or a hosted website.
4. The downloaded executable file from the cloud or hosted website starts execution.

Diagram :

Well, there is another case where a threat actor embeds another executable file inside the .rsrc section. This technique is still widely used, and it can work from time to time. I say from time to time because the effectiveness of the technique depends on the environment the malware is designed for.

I have a real example where a threat actor embedded an additional payload in the .rsrc section. You can actually use a tool like Resource Hacker to dump the embedded executable stored in that section.

Demo : 

Well, another way to check if something is embedded in the resource section is by using a tool such as Detect It Easy, and then looking under the Sections tab :

Please note: don’t get confused about the differences between a downloader and a dropper. Just keep in mind a dropper can act as a downloader, and a downloader can act as a dropper, depending on the situation. They have closely related functionalities in some cases, but not always.

Mostly, droppers are recognized as being embedded inside the .rsrc section, or sometimes directly inside the executable itself. However, it’s not only the .rsrc section payloads can also be embedded in .rdata and .data sections. I have seen real-life examples of this technique being used.

Now let’s talk about the downloader. We already discussed the dropper in detail, but what about a downloader?

A downloader is another operation in the malware infection chain that mostly retrieves additional stages from a cloud-based service or a compromised website.

You can think of a downloader in a simplified way like this:

• The threat actor compromises a website and hosts the malware there, or uploads the sample to a cloud service.

• The threat actor then abuses a batch script, PowerShell, or even a legitimate utility to retrieve the file and execute it.

Diagram :

Example code snippet :

• $sourceUrl = "https://example.com/safefile.txt"
• $tempFile = "$env:TEMP\safefile.txt"
• Set-Content -Path $tempFile -Value "This is a safe test file for lab simulation."
• Write-Output "File 'downloaded' to $tempFile"

Well, this code acts as both a downloader and a dropper in some ways, because it downloads a file, drops it into the %temp% directory, and then executes it.

Enjoy .