Hello, 🌎! This will be a quick explainer blog where I’ll explain what droppers, downloaders, and wiper payloads are and the differences between them. Malware authors utilize these payloads depending on different factors like motive, filters, network bandwidth, etc. With that said, let’s begin!
Droppers vs Downloaders vs Wipers
Droppers are payloads that install malicious tools on a target device after successful exploitation. The malicious tools are included in the payload itself and thus the malware does not rely on external infrastructure to download additional payloads. Droppers are more liked Meterpreter’s stateless payloads in which all the exploit code is wrapper into a single executable. Because all the tools are included into a single binary, the resulting file size of the final payload can be large.
Downloaders are payloads that download additional malware to install/run on the target device from external infrastructure controlled by the threat actor. Downloaders are similar to Meterpreter’s stated payload which when executed call out to the attacker controlled Meterpreter listener to download additional capabilities. This makes downloaders much smaller in size compared to droppers and are great in scenarios where the size of the payload does matter!
Wipers are payloads that completely “wipe” or destroy all the data on the storage media found on the target device. This is probably the most destructive type of payload and is normally utilized by militaries as a cyber weapon such as when Russia used NotPetya malware to destroy the data on approximately 50,000 computers in Ukraine back in 2017.
- Droppers are large in size compared to downloaders and wipers
- Downloaders “download” additional malware from attacker-controlled infrastructure whereas droppers already contain secondary malware in the payload
- Wipers destroy by either encrypting or overwriting all the data on the target device. The secondary payload of a downloader or dropper can be a wiper.
If you enjoyed reading this blog and learned something, keep an eye out for more of my posts and maybe consider following me on GitHub, where I work on cybersecurity projects. And if you are feeling really generous, consider buying me a coffee!