INFO
Droppers normally don't require internet connection. Malware could be embedded or packed within the first stage. On disk the payload could look benign since most cases it will be encrypted. Payload could be dropped on the local disk, USB or a network share. This could be useful for lateral movement. Dropped payload could also be used as a back door. Payload doesnt have to be evil but a simple vulnerability that could be exploited remotely (for remote code execution). This way pnly one node will have the actuall payload and rest of the nodes can have the vulnerable piece of code. Let's call the actual payload the parent node.
Parent node can scan and find the vulenrable node remotely. Only then the parent node will inject the evil payload into the address space of vulnerable application. All the intelligence will also be shared with the child node.
In some cases, right after injection the parent node will go to passive mode. Since child has all the intelligence, it will be used to further propagation. This is to avoid running scans from one node ONLY. Think of it a linked list where a node can easily point to the root node and the next node as well.
Dropped payload could be an installer or a downloader. It will download another payload. I will have some examples later. Downloader would require an internet connection to download other payloads or stages.
In the video I am trying to show a very basic concept, where first stage drops a payload. Payload is an http(s) frame work that can dwonload other payloads. Eventually the final payload is a basic keylogger that runs in the foreground.
If we look at the first stage, we can see the PE header
Or the embedded file could be completely encrypted / encoded not just the header. This simply means that file is benign on disk, on execution payload will be decrypted either in the memory or to the disk, we will talk about it later
