Malvertising attacks are being used to distribute virtualized .NET loaders that are highly obfuscated and dropping info-stealer malware.
The loaders, dubbed MalVirt, are implemented in .NET and use virtualization through the legitimate KoiVM virtualizing protector for .NET applications, according to threat researchers with SentinelOne’s SentinelLabs. The KoiVM tool helps obfuscate the implementation and execution of the MalVirt loaders.
The loaders are distributing the Formbook info-stealing malware collection as part of an ongoing campaign, the researchers write in a report out this week. Formbook and the newer XLoader version come with a range of threats, from keylogging and screenshot theft to stealing credentials and staging addition malware.
“The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques,” they write.
It’s also the latest example of miscreants adapting to Microsoft last year blocking macros by default in Word, Excel, and PowerPoint to shut down a popular attack avenue. In the wake of Microsoft’s move, attackers are turning to other options, such as LNK files, ISO and RAR attachments, and Excel XLL add-ins (which Microsoft addressed in January).
Malvertising also seeing fast adoption.
“Malvertising is a malware delivery method that is currently very popular among threat actors, marked by a significant increase in malicious search engine advertisements in recent weeks,” SentinelOne writes.
The Formbook and XLoader malware are sold on the dark web and usually distributed through attachments in phishing emails or malspam through macro-enabled Office documents – though that door has been shut.
They’re also normally used for typical cybercrime motivations. However, SentinelOne notes that the info-stealers have been used for political reasons, including through phishing emails linked to the Russian invasion of Ukraine and sent to Ukrainian state organizations.
“In the case of an intricate loader, this could suggest an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation,” the researchers write.
SentinelOne first found a MalVirt sample while examining in the ad results during a routine Google search for “Blender 3D.” Researchers were subsequently struck by the lengths the miscreants went to evade detection and analysis of the loaders and info-stealing malware.
That included the MalVirt loaders using signatures and countersignatures from Microsoft, Acer, DigiCert, Sectigo, and other companies, but the signatures are invalid or are created using invalid certificates, or the systems don’t trust the certificates.
The loaders also use a host of anti-detection and anti-analysis techniques, with some samples patching certain functions to bypass the Anti Malware Scan Interface tool for detecting malicious PowerShell commands or decoding and decrypting strings that are Base-64 encoded and AES-encrypted.
Some MalVirt samples also determine whether they are executing in a virtual machine or sandbox environment, at times querying registry keys to detect the VirtualBox or VMware environments.
That said, the use of .NET virtualization to evade detection and analysis is a “hallmark” of the MalVirt loaders, with VoiVM being modified with other obfuscation techniques, the researchers write. It echoes a campaign that K7 Security Labs wrote about in December 2022.
The miscreants behind the Formbook and XLoader malware are showing through the distribution by MalVirt that they’re expanding beyond phishing and embracing the growing malvertising trend. SentinelOne writes that “given the massive size of the audience threat actors can reach through malvertising, we expect malware to continue being distributed using this method.” ®