Attackers have been observed using malvertising attacks to distribute a virtualized .NET malware loader called ‘MalVirt’.
According to Thursday’s recommendation by sentinel onethe new loader utilizes obfuscated virtualization techniques to evade detection.
“The loader is implemented in .NET and uses virtualization based on the KoiVM virtualization protector for .NET applications to obfuscate its implementation and execution,” read the technical article.
“The use of KoiVM virtualization is popular in hacking tools and cracks, but is less commonly seen as an obfuscation method utilized by cybercrime actors.”
In a technical article, Aleksandar Milenkoski, senior threat researcher at the company, explained that the MalVirt loader distributes malware from the Formbook family.
“Among the payloads distributed by the MalVirt loader, we discovered the Formbook family of infostealer malware as part of an ongoing campaign at the time of this writing,” reads SentinelOne. Recommendation.
From a technical point of view, Formbook (and its updated version called XLoader) performs several functions such as keylogging, screenshot theft, web and other credential theft, and deployment of additional malware tools. Infostealer malware with
“For example, one of the characteristics of XLoader is its complex disguise of C2 traffic,” writes Milenkoski.
To hide the actual C2 traffic and avoid network detection, the malware has been observed to beacon to random decoy C2 servers located at different legitimate hosting providers such as Azure, Tucows, Choopa, Namecheap, etc. I was.
Security researchers at SentinelOne also said: form book and XLoader have in the past been distributed via “malspam” via phishing emails and macro-enabled Office documents, but the new MalVirt campaign is moving in the direction of such malware being distributed via malvertising. suggests a shift to
“As a response to Microsoft block, Office macros by default According to documents from the Internet, attackers are turning to alternative malware distribution methods, most recently using malvertising,” explained Milenkoski.
“Given the enormous audience that threat actors can reach through malvertising, we expect malware to continue to be distributed using this method.”
In other virtualization news, a recent report by Sysdig found that 87% of all container images are Affected by High or Critical vulnerabilities.
