Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Research

Malvertising attacks are distributing .NET malware loaders

The campaign illustrates another option for miscreants who had relied on Microsoft macros

Jeff Burt Thu 2 Feb 2023  //  19:27 UTC

Malvertising attacks are being used to distribute virtualized .NET loaders that are highly obfuscated and dropping info-stealer malware.

The loaders, dubbed MalVirt, are implemented in .NET and use virtualization through the legitimate KoiVM virtualizing protector for .NET applications, according to threat researchers with SentinelOne's SentinelLabs. The KoiVM tool helps obfuscate the implementation and execution of the MalVirt loaders.

The loaders are distributing the Formbook info-stealing malware collection as part of an ongoing campaign, the researchers write in a report out this week. Formbook and the newer XLoader version come with a range of threats, from keylogging and screenshot theft to stealing credentials and staging addition malware.

"The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques," they write.

It's also the latest example of miscreants adapting to Microsoft last year blocking macros by default in Word, Excel, and PowerPoint to shut down a popular attack avenue. In the wake of Microsoft's move, attackers are turning to other options, such as LNK files, ISO and RAR attachments, and Excel XLL add-ins (which Microsoft addressed in January).

Malvertising also seeing fast adoption.

"Malvertising is a malware delivery method that is currently very popular among threat actors, marked by a significant increase in malicious search engine advertisements in recent weeks," SentinelOne writes.

The Formbook and XLoader malware are sold on the dark web and usually distributed through attachments in phishing emails or malspam through macro-enabled Office documents – though that door has been shut.

They're also normally used for typical cybercrime motivations. However, SentinelOne notes that the info-stealers have been used for political reasons, including through phishing emails linked to the Russian invasion of Ukraine and sent to Ukrainian state organizations.

"In the case of an intricate loader, this could suggest an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation," the researchers write.

SentinelOne first found a MalVirt sample while examining in the ad results during a routine Google search for "Blender 3D." Researchers were subsequently struck by the lengths the miscreants went to evade detection and analysis of the loaders and info-stealing malware.

That included the MalVirt loaders using signatures and countersignatures from Microsoft, Acer, DigiCert, Sectigo, and other companies, but the signatures are invalid or are created using invalid certificates, or the systems don't trust the certificates.

The loaders also use a host of anti-detection and anti-analysis techniques, with some samples patching certain functions to bypass the Anti Malware Scan Interface tool for detecting malicious PowerShell commands or decoding and decrypting strings that are Base-64 encoded and AES-encrypted.

Some MalVirt samples also determine whether they are executing in a virtual machine or sandbox environment, at times querying registry keys to detect the VirtualBox or VMware environments.

That said, the use of .NET virtualization to evade detection and analysis is a "hallmark" of the MalVirt loaders, with VoiVM being modified with other obfuscation techniques, the researchers write. It echoes a campaign that K7 Security Labs wrote about in December 2022.

The miscreants behind the Formbook and XLoader malware are showing through the distribution by MalVirt that they're expanding beyond phishing and embracing the growing malvertising trend. SentinelOne writes that "given the massive size of the audience threat actors can reach through malvertising, we expect malware to continue being distributed using this method." ®
Send us news
7 Comments

Google submits complaints about Microsoft licensing to UK competition regulator

Now Microsoft has regulator breathing down its neck in three regions

Experienced Copilot help is hard to find, warns Microsoft MVP

Almost nobody has used it, or knows it well, so beware of consultants bearing cred

Microsoft's relationship with OpenAI now in competition regulator's sights

Has recent CEO, board shenanigans given rise to a merger situation? CMA is asking for a friend

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

Akamai says it reported the flaws to Microsoft. Redmond shrugged

Microsoft issues deadline for end of Windows 10 support – it's pay to play for security

Limited options will be available into 2028, for an undisclosed price

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Microsoft confirms Smart App issue renaming everyone's printers to HP

Not only turning up uninvited, but telling folks they suddenly have a LaserJet

Creating a single AI-generated image needs as much power as charging your smartphone

PLUS: Microsoft to invest £2.5B in UK datacenters to power AI, and more

Microsoft, Databricks double act tries to sew up the data platform market

But the one-stop shop vision fails to take it far beyond the competition

Microsoft to intro dedicated mode for Cloud PCs

Latest Insider Build brings new features for Windows 365 Boot

Microsoft touts Visual Studio Code as a Java juggernaut

2.5 million devs can't be wrong – or can they?

US readies prison cell for another Russian Trickbot developer

Hunt continues for the other elusive high-ranking members