Malvertising attacks are distributing .NET malware loaders — .NET Virtualization Thrives

guest · Feb 2, 2023

By Jeff Burt @jburttech - February 2, 2023

Malvertising attacks are being used to distribute virtualized .NET loaders that are highly obfuscated and dropping info-stealer malware.
Click to expand...

The loaders, dubbed MalVirt, are implemented in .NET and use virtualization through the legitimate KoiVM virtualizing protector for .NET applications, according to threat researchers with SentinelOne's SentinelLabs. The KoiVM tool helps obfuscate the implementation and execution of the MalVirt loaders.

The loaders are distributing the Formbook info-stealing malware collection as part of an ongoing campaign, the researchers write in a report out this week. Formbook and the newer XLoader version come with a range of threats, from keylogging and screenshot theft to stealing credentials and staging addition malware.

"The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques," they write.
Click to expand...

SentinelOne first found a MalVirt sample while examining in the ad results during a routine Google search for "Blender 3D." Researchers were subsequently struck by the lengths the miscreants went to evade detection and analysis of the loaders and info-stealing malware.

That included the MalVirt loaders using signatures and countersignatures from Microsoft, Acer, DigiCert, Sectigo, and other companies, but the signatures are invalid or are created using invalid certificates, or the systems don't trust the certificates.
Click to expand...

That said, the use of .NET virtualization to evade detection and analysis is a "hallmark" of the MalVirt loaders, with VoiVM being modified with other obfuscation techniques, the researchers write. It echoes a campaign that K7 Security Labs wrote about in December 2022.

The miscreants behind the Formbook and XLoader malware are showing through the distribution by MalVirt that they're expanding beyond phishing and embracing the growing malvertising trend.
Click to expand...

SentinelLabs: MalVirt | .NET Virtualization Thrives in Malvertising Attacks

By Aleksandar Milenkoski and Tom Hegel - February 2, 2023
Executive Summary

SentinelLabs observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks.

The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes.

MalVirt loaders are currently distributing malware of the Formbook family as part of an ongoing campaign.

To disguise real C2 traffic and evade network detections, the malware beacons to random decoy C2 servers hosted at different hosting providers, including Azure, Tucows, Choopa, and Namecheap.

Click to expand...

Rasheed187 · Feb 5, 2023

Well, I'm sure I didn't understand everything, but it seems like this fairly new .Net virtualization technique is mostly being used to bypass AV detection. But I'm guessing it will still trigger quite a lot of stuff that should be spotted by behavior blockers, for example if they load system processes and when they try to load the legitimate Process Explorer driver.

Log in or Sign up

Malvertising attacks are distributing .NET malware loaders — .NET Virtualization Thrives

guest Guest

Rasheed187 Registered Member

Log in or Sign up

Malvertising attacks are distributing .NET malware loaders — .NET Virtualization Thrives

guest Guest

Rasheed187 Registered Member

Useful Searches