Table of contents
No headings in the article.
In the world of cybercrime, malware distributors are constantly adapting their methods to evade detection and analysis. The latest example is the shift to malvertising, which involves placing rogue search engine ads to trick users into downloading trojanized software. A recent malvertising campaign has been used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware.
The loaders, called MalVirt, use obfuscated virtualization and the Windows Process Explorer driver to evade detection and terminate processes. SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a technical write-up. They are implemented in .NET and use the legitimate KoiVM virtualizing protector to conceal their behavior and distribute the FormBook malware family. The MalVirt loaders also incorporate anti-analysis and anti-detection techniques, as well as employ a modified version of KoiVM with additional obfuscation layers to make deciphering even more challenging.
FormBook and its successor, XLoader, have a wide range of capabilities including keylogging, screenshot theft, harvesting of web and other credentials, and the staging of additional malware. These malware strains also camouflage their command-and-control (C2) traffic among smokescreen HTTP requests to multiple decoy domains.
The shift to malvertising is a response to Microsoft's plans to block the execution of macros in Office by default from files downloaded from the internet. The use of malvertising is already on the rise, as criminal actors push other stealers like IcedID, Raccoon, Rhadamanthys, and Vidar. There is even evidence that a threat actor is selling malvertising as a service on the dark web, fueling the demand for this method. Abuse.ch said in a report, pointing out a possible reason for the "escalation."
However, malware distributors are not limited to malvertising and are experimenting with other file types like Excel add-ins and OneNote email attachments to sneak past security perimeters. The latest addition to this list is the use of Visual Studio Tools for Office (VSTO) add-ins as an attack vehicle (disclosed).
In conclusion, the MalVirt loaders demonstrate the effort that threat actors are investing in evading detection and thwarting analysis. The shift to malvertising highlights the need for organizations to be vigilant and proactive in their security measures to protect against the latest threats in cybercrime.
Thank you for reading our blog today. We hope you found the information helpful and informative. If you enjoyed this blog, be sure to follow us on Twitter, Instagram, Linkedin, GitHub, Website, and Youtube for more interesting content and updates. If you have any questions or comments, please feel free to reach out to us. We would love to hear from you. Don't forget to share this with your friends and family who may also find this information useful. Thank you for your support and stay tuned for more!