A stager is a compact executable used in multistage cyberattacks to establish a connection to the command-and-control (C&C) server, deliver and then run larger malicious modules. Stagers are used during the post-exploitation stage, that is, after the malicious actors have exploited vulnerabilities in software to penetrate the victim’s system.
Single-stage and stager cyberattacks
Malicious actors may deliver a payload directly to a compromised device or use intermediate components such as a stager. In the former case, the payload is referred to as stageless. This type of payload contains all of the malicious functionality inside one file, so it rules out loss of code during the attack, but it is also rather large in size.
When using a stager, the malicious code is divided into modules, which are delivered to the target device one by one. Fairly small in size, a stager is designed to download and run a subsequent, larger module. The sequential downloading of modules slows down the attack and increases the risk of losing some data.
Stagers are often used when the malicious actors are exploiting a vulnerability that does not allow for a large amount of code to be run at once. Besides, if detected, a compact stager is easier to rewrite than the main payload.
How a stager works
Once delivered and started, a stager performs the following actions:
- Signals to the C&C server that the exploitation was successful and, in many cases, sends information about the target system along with this.
- Downloads the next module, such as a dropper, from the C&C server when instructed to.
- Decrypts the content of that module, installs it (or loads it into the RAM in the case of a fileless attack), runs it and turns control over to it.
Stager code may contain configuration data required for performing its tasks, such as the address of the C&C server, and decryption keys for the next malicious module.
Stagers come in various forms, such as: