MalVirt – Dropping .Net InfoStealers

Malvertising campaigns are dropping .NET info-stealing malware dubbed MalVirt. These are highly obfuscated and distributed as virtualized .NET loaders.

MalVirt uses signatures and countersignatures from Microsoft, Acer, Digicert, Sectigo, and several other companies to avoid detection. That said, these signatures are invalid or are created using invalid certificates and hence get flagged on most systems.

The malware sends data to multiple random decoy C2 servers hosted with different providers, including Azure, Tucows, Choopa and Namecheap.

As for system execution, the dropper uses KoiVM virtualization as an obfuscation method. Once it reaches the target system, it drops an info stealer malware of the Formbook family. This distribution through the MalVirt loader “is characterized by an unusual amount of applied anti-analysis and anti-detection techniques”.

The Formbook family includes Formbook and its newer version Xloader. These are info-stealing malware with capabilities including keylogging, screenshot theft, and the ability to steal web and other credentials, and can act as a staging platform for additional malware as well. Xloader can also heavily disguise its C2 traffic.

While its traditionally delivered as an attachment with phishing emails, this new distribution method indicates just how much threat actors have adapted to Microsoft’s decision to block macros by default in Word, Excel, and PowerPoint to shut down a commonly abused attack vector. LNK files as well as ISO and RAR attachments are also being used as attack vectors now.

Malvertising is becoming increasingly popular among threat actors who are now frequently abusing Google Ads to trick unsuspecting users into downloading malware. This is done by redirecting users to a fake site and letting them download a fake version of a popular program which includes malware droppers.

The campaign was discovered by SentinelOne researchers during a routine Google ad search for Blender 3D, a popular open-source 3D designing program.

Indicators of Compromise

• 15DB79699DCEF4EB5D731108AAD6F97B2DC0EC9C
• 655D0B6F6570B5E07834AA2DD8211845B4B59200
• BC47E15537FA7C32DFEFD23168D7E1741F8477ED
• 51582417D24EA3FEEBF441B8047E61CBE1BA2BF4
• http://www.togsfortoads[.]com
• http://www.popimart[.]xyz
• http://www.kajainterior[.]com
• http://www.heji88.hj-88[.]com
• http://www.headzees[.]com
• http://www.in-snoqualmievalley[.]com
• http://www.365heji[.]com
• http://www.h3lpr3[.]store
• http://www.graciesvoice[.]info
• http://www.femfirst.co[.]uk
• http://www.cistonewhobeliev[.]xyz
• http://www.allspaceinfo[.]com
• http://www.baldur-power[.]com
• http://www.ohotechnologies[.]com
• http://www.carlosaranguiz[.]dev
• http://www.iidethakur[.]xyz
• http://www.huifeng-tech[.]com