A cluster of virtualized.NET malware loaders that were disseminated via malvertising attacks was discovered by SentinelLabs.
The loaders, known as MalVirt, leverage the Windows Process Explorer driver for process termination together with obfuscated virtualization for anti-analysis and evasion.
As part of an ongoing campaign, MalVirt loaders are now disseminating malware from the Formbook family.
The Formbook family of malware, which includes Formbook and its more recent variant XLoader, is a feature-rich info stealer that employs a variety of features, including keylogging, screenshot theft, web and other credential theft, and staging of other malware.
The loaders’ implementation and execution are obscured by virtualization, which is based on the KoiVM virtualizing protector of .NET applications.
The KoiVM plugin for the ConfuserEx.NET protector obfuscates a program’s opcodes so that the virtual machine can only understand them. The virtual machine then converts the opcodes back to their original form when the application is launched, enabling the application to run.
“Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands,” SentinelLabs reports.
“A virtual machine engine executes the virtualized code by translating it into the original code at runtime.”
“When put to malicious use, virtualization makes malware analysis challenging and also represents an attempt to evade static analysis mechanisms.”
Hackers Use Google Ads to Install Malware
Threat actors are promoting the MalVirt loaders in advertisements that appear to be for the Blender 3D software in the ongoing campaign that SentinelLabs has observed.
Researchers have noticed an increase in the misuse of Google search advertisements over the past month to disseminate a variety of malware, including RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys Stealer, IcedID, Raccoon Stealer, and many others.
The loaders use signatures and countersignature from organizations including Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA to claim to be digitally signed.
But in each instance, the signatures were either generated using invalid certificates or came from certificates that the system did not trust (i.e., not stored in the Trusted Root Certification Authorities certificate store).
“The MalVirt loaders we analyzed, especially those distributing malware of the Formbook family, implement a range of anti-analysis and anti-detection techniques, with some variations across MalVirt samples”, explains SentinelLabs.
“Further, in an attempt to evade static detection mechanisms, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted.”
Using hardcoded, Base64-encoded AES encryption keys, the MalVirt loaders decode and decrypt such strings.
By checking certain registry keys, the loaders may also determine whether they are operating in a virtualized environment. If so, execution is stopped to avoid detection.
Further, the Process Explorer driver is typically used by malware to carry out operations with kernel privileges, such as terminating detection mechanisms’ processes to avoid detection or duplicating process handles for manipulation.
Reports stated that the loaders also employ a modified version of KoiVM that includes additional obfuscation layers to prevent the virtualized code from being decompiled, which makes deciphering it much more difficult.
“To defeat this obfuscation technique, the values that the modified implementation of KoiVM assigns to the constant variables can be extracted from the memory of the virtualized MalVirt assembly while it executes”, SentinelLabs
MalVirt’s modified KoiVM implementation, however, introduces a further layer of obfuscation by changing the order in which the constant variables defined by the original KoiVM implementation were defined.
According to SentinelLabs, only one of the 17 domains Formbook communicated within the samples it examined was the actual C2 server, with the others only acting as decoys to fool network traffic monitoring tools.
Final Word
Thus, the Formbook family of malware is a highly effective info stealer that is spread via the MalVirt loaders using a significant number of anti-analysis and anti-detection tactics.
It is anticipated that malware will continue to be spread through this technique given the enormous audience that threat actors may reach through malvertising.
Network Security Checklist – Download Free E-Book