An
ongoing
malvertising
campaign
is
being
used
to
distribute
virtualized
.NET
loaders
that
are
designed
to
deploy
the
FormBook
information-stealing
malware.
“The
loaders,
dubbed
MalVirt,
use
obfuscated
virtualization
for
anti-analysis
and
evasion
along
with
the
Windows
Process
Explorer
driver
for
terminating
processes,”
SentinelOne
researchers
Aleksandar
Milenkoski
and
Tom
Hegel
said
in
a
technical
write-up.
The
shift
to
Google
malvertising
is
the
latest
example
of
how
crimeware
actors
are
devising
alternate
delivery
routes
to
distribute
malware
ever
since
Microsoft
announced
plans
to
block
the
execution
of
macros
in
Office
by
default
from
files
downloaded
from
the
internet.
Malvertising
entails
placing
rogue
search
engine
advertisements
in
hopes
of
tricking
users
searching
for
popular
software
like
Blender
into
downloading
the
trojanized
software.
The
MalVirt
loaders,
which
are
implemented
in
.NET,
use
the
legitimate
KoiVM
virtualizing
protector
for
.NET
applications
for
concealing
its
behavior
and
are
tasked
with
distributing
the
FormBook
malware
family.
Besides
incorporating
anti-analysis
and
anti-detection
techniques
to
evade
execution
within
a
virtual
machine
or
an
application
sandbox
environment,
the
loaders
have
been
found
to
employ
a
modified
version
of
KoiVM
that
packs
in
additional
obfuscation
layers
in
order
to
make
deciphering
even
more
challenging.
The
loaders
also
deploy
and
load
a
signed
Microsoft
Process
Explorer
driver
with
the
goal
of
carrying
out
actions
with
elevated
permissions.
The
privileges,
for
instance,
can
be
weaponized
to
terminate
processes
with
security
software
to
avoid
getting
flagged.
Both
FormBook
and
its
successor,
XLoader,
implement
a
wide
range
of
functionalities,
such
as
keylogging,
screenshot
theft,
harvesting
of
web
and
other
credentials,
and
staging
of
additional
malware.
The
malware
strains
are
also
notable
for
camouflaging
their
command-and-control
(C2)
traffic
among
smokescreen
HTTP
requests
with
encoded
content
to
multiple
decoy
domains,
as
previously
revealed
by
Zscaler
and
Check
Point
last
year.
“As
a
response
to
Microsoft
blocking
Office
macros
by
default
in
documents
from
the
Internet,
threat
actors
have
turned
to
alternative
malware
distribution
methods
–
most
recently,
malvertising,”
the
researchers
said.
“The
MalVirt
loaders
[…]
demonstrate
just
how
much
effort
threat
actors
are
investing
in
evading
detection
and
thwarting
analysis.”
It’s
pertinent
that
the
method
is
already
witnessing
a
spike
due
to
its
use
by
other
criminal
actors
to
push
IcedID,
Raccoon,
Rhadamanthys,
and
Vidar
stealers
over
the
past
few
months.
“It
is
likely
that
a
threat
actor
has
started
to
sell
malvertising
as
a
service
on
the
dark
web,
and
there
is
a
great
deal
of
demand,”
Abuse.ch
said
in
a
report,
pointing
out
a
possible
reason
for
the
“escalation.”
The
findings
arrive
two
months
after
India-based
K7
Security
Labs
detailed
a
phishing
campaign
that
leverages
a
.NET
loader
to
drop
Remcos
RAT
and
Agent
Tesla
by
means
of
a
virtualized
KoiVM
virtualized
binary.
It’s
not
all
malicious
ads,
however,
as
adversaries
are
also
experimenting
with
other
file
types
like
Excel
add-ins
(XLLs)
and
OneNote
email
attachments
to
sneak
past
security
perimeters.
Newly
joining
this
list
is
the
use
of
Visual
Studio
Tools
for
Office
(VSTO)
add-ins
as
an
attack
vehicle.
“VSTO
add-ins
can
be
packaged
alongside
Office
documents
(Local
VSTO),
or,
alternatively,
fetched
from
a
remote
location
when
a
VSTO-Bearing
Office
document
is
opened
(Remote
VSTO),”
Deep
Instinct
disclosed
last
week.
“This,
however,
may
require
bypass
of
trust-related
security
mechanisms.”
this
article
interesting?
Follow
us
on
and
to
read
more
exclusive
content
we
post.
About Author
