MalVirt | .NET virtualisation thrives in new malvertising attacks
February 2023 by SentinelLabs
While investigating recent malvertising (malicious advertising) attacks, SentinelLabs spotted a cluster of virtualised malware loaders that has joined the trend. Referred to as MalVirt, the loaders are implemented in .NET and use virtualisation, based on the KoiVM virtualising protector of .NET applications, in order to obfuscate their implementation and execution. Although virtualisation is popular for hacking tools and cracks, the use of KoiVM virtualisation is not often seen as an obfuscation method utilised by cybercrime threat actors.
Among the payloads that MalVirt loaders distribute, SentinelLabs spotted infostealer malware of the Formbook family as part of an ongoing campaign at the time of writing. The distribution of this malware through the MalVirt loaders is characterised by an unusual amount of applied anti-analysis and anti-detection techniques.
This malware is sold on the dark web and is traditionally delivered as an attachment to phishing emails, and its use has also been recently observed as part of attacks with potentially political motivations – in September 2022, Ukraine’s CERT reported a Formbook/XLoader campaign targeting Ukrainian state organisations through war-themed phishing emails.
SentinelLabs observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks
The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes
MalVirt loaders distribute malware of the Formbook family as part of an ongoing campaign at the time of writing. To disguise real C2 traffic and evade network detections, the malware beacons to random decoy C2 servers hosted at different hosting providers, including Azure, Tucows, Choopa, and Namecheap.
As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods – most recently, malvertising.
SentinelLabs’ research focuses on the MalVirt loaders and the infostealer malware subsequently distributed by them in order to highlight the effort the threat actors have invested in evading detection and thwarting analysis.
Additionally, this report highlights that phishing attacks continue to evolve and can be highly targeted with the use of intricate loader, which could suggest an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation.