HQ/EMEAFind out how we can help your business
A new malvertising attack utilises a new tool called MalVirt loader to spread information stealer malware strains like XLoader and Formbook. This unique malware attack caught researchers off-guard since it used mixed strategies to hide its implementation and execution at multiple levels.
One researcher discovered a sample of MalVirt loader that hackers were leveraging through Google Ads. The malware loader pretended to be a legitimate ad for the Blender 3D software. However, this malware distribution campaign utilised several layers of anti-detection and anti-analysis techniques to bypass security defences.
In addition, the hostile loader downloaded via the advert uses invalid digital signatures that impersonate Acer, Sectigo, DigiCert, Microsoft, and AVG Technologies USA. Subsequently, the campaign combines the malware’s communication with multiple decoy HTTP requests to hide the network traffic and avoid network detection.
Furthermore, it interacts with decoy command-and-control servers stored in genuine providers.
The MalVirt loader also uses the [.]net code for protection.
Investigation revealed that the virtualised MalVirt loaders are implemented by its operator in [.]net and use the KoiVM .NET protector to hide the malware code.
KoiVM then replaces the initial malware code, including the [.]net CIL instructions, with virtualised code since only the virtualisation framework could understand the replacement.
Next, the payload carrier will decode the virtualised code back to its original status only at runtime. The equation includes obfuscating the malicious code during security scans. This method helps MalVirt loaders to deliver malicious payloads without raising alarms from AV scanners.
Furthermore, some loader samples use additional checks to bypass the Anti Malware Scan Interface tool, another method for securing the payload delivery. Some actors use this campaign to exploit signed drivers for Microsoft Process Explorer to alter or remove the genuine Windows processes without raising suspicions.
MalVirt threat actors have dedicated much of their time to increasing their chances of evasion against anti-detection and anti-analysis techniques. Therefore, researchers were surprised by the attacks since the strategy is uncommon for Google ad-based malvertising attacks.
Cybersecurity experts claimed that this campaign could significantly increase soon if it continues to evade security solutions.
