An ongoing malvertising campaign is being used to distribute a virtualized .NET loader designed to deploy FormBook information-stealing malware.
SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a technical lightup:
Google’s move to malvertising has become an alternative delivery route for crimeware actors to distribute malware since Microsoft announced plans by default to block macros from running in Office from files downloaded from the Internet. The latest example of how we devised
Malvertising involves placing deceptive search engine ads in hopes of tricking users searching for popular software like Blender into downloading trojanized software.
The MalVirt loader implemented in .NET is tasked with distributing the FormBook malware family by hiding its behavior using a legitimate KoiVM virtualization protector for .NET applications.
In addition to incorporating anti-analysis and anti-detection techniques to avoid running within a virtual machine or application sandbox environment, the loader packs an extra layer of obfuscation to make deciphering even more difficult. I know to use the fixed version.
The loader also expands and loads a signed Microsoft Process Explorer driver with the intent of executing actions with elevated permissions. For example, privileges can be weaponized to terminate processes associated with security software to prevent them from being flagged.
Both FormBook and its successor, XLoader, implement a wide range of features, including keylogging, screenshot theft, web and other credential harvesting, and additional malware staging.
As revealed by Zscaler and Check Point last year, this malware strain uses encoded content to multiple decoy domains to camouflage command and control (C2) traffic between smokescreen HTTP requests. It is also worth noting that
“In response to Microsoft blocking Office macros by default in documents from the Internet, attackers are turning to alternative malware distribution methods, most recently malvertising,” said the researchers. increase.
“MalVirt Loader […] It shows how hard the attackers are to evade detection and thwart analysis. “
It’s fitting that this method has already proliferated, as other criminals have used it to push IcedID, Raccoon, Rhadamanthys, and Vidar stealers over the past few months.
Abuse.ch says: reportpointing out possible reasons for the “escalation”.
The findings come after India-based K7 Security Labs detailed a phishing campaign that utilizes a .NET loader to drop Remcos RAT and Agent Tesla using virtualized KoiVM virtualized binaries. Arrived after 2 months.
However, not all ads are malicious. Attackers are using other file types, such as Excel add-ins (XLL) and OneNote email attachments, to sneak past security perimeters. New to this list is the use of Visual Studio Tools for Office (VSTO) add-ins as an attack vector.
Deep Instinct said last week, “VSTO Add-ins can be packaged together with an Office document (Local VSTO) or retrieved from a remote location when an Office document containing VSTO is opened (Remote VSTO).” says. “However, this may require bypassing trust-related security mechanisms.”
