May 31, 2023

Researchers has released a report about a new malware called dotRunpeX is being developed to distribute variously known malware families, such as BitRAT, Agent Tesla, and LokiBot.

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families. It has become a preferred tool for cybercriminals due to its ease of use and ability to bypass security measures. It is a second-stage malware in the infection chain, often transmitted through phishing emails or malicious Google Ads.

The most recent version of dotRunpeX, first detected in October 2022, has added an extra layer of obfuscation to evade detection. The malware now employs the KoiVM virtualizing protector, which makes it even more challenging to identify the threat.

Advertisements

In addition to phishing emails, dotRunpeX is known to use malicious Google Ads on search result pages to lure unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. This technique, called “search engine result page (SERP) poisoning,” aims to manipulate search engine rankings to deliver malicious links to users.

The dotRunpeX malware uses a vulnerable process explorer driver (procexp.sys) to obtain kernel mode execution, allowing it to inject various malware families into systems undetected.

The analysis has revealed two concerning things:

  • Each dotRunpeX sample comes embedded with a specific payload of malware to be injected into the victim’s system.
  • The injector also specifies a list of anti-malware processes to be terminated to avoid detection.

dotRunpeX is suspected to be affiliated with Russian-speaking actors. The malware campaign was documented after a malvertising campaign previously revealed by Sentinel One. The campaign documented by Sentinel One involved the loader and injector components collectively called “MalVirt.”

The dotRunpeX malware campaign has been delivering a range of malware families, including RedLine, Raccoon, Vidar, Agent Tesla, and FormBook. The use of these malware families suggests that the actors behind the campaign are focused on information theft, as these families are known for stealing sensitive information such as login credentials, banking information, and personal data.

This research was documented by researchers from Check Point Researchers

Advertisements

Indicators of Compromise -Hashes

  • 1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc
  • 68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326
  • 317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc
  • 65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b
  • 81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e
  • 0e11704fcc3c36832ba98b80ea44a3013660d1ed3fb48158b982fed9f9050391
  • 0f9e27ec1ed021fd7375ca46f233c06b354d12d57aed44132208cd9308bfee11
  • 881a337aa85a4b01c08706ab941573c5dc9b76ea0e4e1c2693a9b4aa4453ec8c
  • feae44d8927dd41feaed997b3dbf7b41933496d6285b79554b83e72ae8a045c4
  • 1c1fcc4133af77f07d0c0299d0320aa9f447748ebead74b429f73c44d950e38b
  • 35c11f7315d2e5d04d783de4314d8cde2def382f1e3fc49ccc555337c54d63cc
  • 4068637c121888476533a3bbb16bec6bc3b4f81f7b9de635ef3576d56dc54c75
  • 40df5a6e6dcadbe576ce4a8b01cfb82bf3f56a87bae674200e60814eab666c6d
  • 8a0d6e40e545d40956194230f03608859f2a47420a9b11b199142641bc6419ee
  • 7c3803c09a0370aa6484d8ad2f5690b96212d98e45fc8f9cb6022f87dff637fc
  • 93e2ea6f021951369028b73637d9558c8baf3c99d9de1a2a60c1461cb9d571bf
  • d95298befdde567b31571d16f327840fa0f0dd9c54bf876531820910418a52b6
  • 149af913afd7eb2773386d14e88a46449cbc9096e0748cfbaa2e061b59525bf0
  • a73f134ab62a5c23a8c8bafabbfbd5e0408c826ba5418488639724708ec5ef28
  • aca4d6278f31f374262e0388d16ee6fdcdbbad8257374f1feaabf75b0ec23157
  • 50451fda27fd8569c7b32bfe82197b82a8637cac928164e1b091a389060e957e
  • 9ed8eeb1db8909c96a958d91213093d2488dc172a8d22ba62657b9bfeb044fec
  • 6c08c0654726c2f793b5191d5e7c74fdf3a2461118a45aa8527a0a30e3f256fd
  • 283cd48dc1368b6852c2f3168bf7a78ad593df010d9a67ed1c938508da5de783
  • b019a0535ca7466d7884825542ac6910fe037913118e1136dcac7e9ef3dc0dc9
  • b1c9b356c50230629c4697b0527fd7a0fa8d6f0e8342a1eb5b5a4f90d8f0eb86
  • 5bbd9513f0872d23ca43dd553a63a12882be274fef983fab427721257d60eaec
  • 9d9940b60809e3c10cd4540f8e589626a293244a999bea16c259f9712969a742
  • cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db
  • cddf8b8da972cb2e560c70d01366f582445441864fcff884b8194eb6c21a768c
  • 6c367333c677c2268df9deaff6ad4e711e73e53504aa1aa845bebfbfe635f1d2
  • 5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80
  • 244f2d4f3c34d00babef5f1765e91c0abda9dbd1d131fc93ecb48c91ecc801a8
  • 95793df9284fe35c0491e5cfa36bc8f49fd426ccdf35f5fe2f098e07d160a4dc
  • 55ee7efcb3d1d2e0eac0ecadd651d6a299de82d94347ef9862bc981ae619532b
  • 13081992c0ef5c52c2b6224f3ff1ab38160bca9424e7c0470e0c175c920bdc9d
  • 0daef2c2bf086312037ebc91beec0302a7e4d1750f260d02bf815bd13c611559
  • 331ad58c524100da7e459e5c3943e970414617f60b3ed0f1a74f3bf189aafea7
  • 44a11146173db0663a23787bffbb120f3955bc33e60e73ecc798953e9b34b2f2
  • 03fcbab82603df2858f7d6fefdb6ae3cc8e17393af6d44f24634d28fccf3f181
  • 373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232
  • 50ec8a9e59e1bcb0a41477e20f5bb809a80329d56e20cf99e93d756b9e0ceefc
  • 41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636
  • 76e129552a30fa5c914d9f946f40b2ec2bbbbeb4e5e2f324e70455725030e157
  • 8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591
  • ae4f3b6c43d5ea8ee68d862362d4e8d7b317889eb9abead948a9b791ad9d7071
  • b4c876d1797efbef614b44e52482c835c32e8ee020975a30fa2d25ed9cf8aa2b
  • d5eda02ff2f05d1e0d06a69018de463ab36497048a1ef2b69af93aa76ccfc07d
  • fa3a9fc2adf9d1ca812e0951e21bf72ba3ec9ceb1c0cf0bfc0171b6d4adadf83
  • 1f2ffabb3b89e6083ca5de70f5d718295c7a633c2d957da7c4469de059efde2c
  • bd133efea4b865f42eb05e0c92e3ab3b58ac087c0682ea9112b96596a7111ff6
  • e6da2d860bd2d0e8b56737b4c8c47cdeea78a404cd0d6fa5a26cbb5ac7682d1d
  • d87a200a26d07a64272e93fb3ae8f8d9e4d34bdfedb0cf7c685a6c97912e967f
  • 7120cf1ad3fdcae7ba6956749a8988e8181837a05948b432cec6ae11229b1d12
  • 304847c69875ec59995fbb453f8d1106f80c5eb380ae6b8676e76f5372290194
  • 25fbe0ff3274b4bc981fa6ec0459e9b95cec6397194e10ea6287bf4b899a9b07
  • 1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8
  • 75236a06aadafc69cc5aa8032468869fb868a9a100b687f19c66be03410c2487
  • ee0d55b9a2d03c5bea9f69f98b042ab7b3064366f335a8a53096387876bf48d7
  • 8de23e90bac05911cbfb6b036c6808ce7c244e4e875cb7edcdb90f75e89e5476
  • 10bbfa36ddd8ea6038e2071320ee84f7a9208a5be3a4dda448e83393cdf39a4d
  • ff72f619907a25f3d99f0c3aa84710c6ff6cb4c3fd8ebad14f85f96c6da49222
  • 242e1c82269725c01108e52376be8ddad39ab29da49356d10e527af6d78058f5
  • ae4d2054a6e1f9ba2c269eace61aac7259adb0645d18da82779717d83174837d
  • bf7b127b1bb81b68439851386cd3d1600bb8b9ec56135e668a88062d913410dd
  • b8bb071899ae7bd16a328c0998b3cd40261d61e564ac77f9bf3e495fab0ad267
  • 17af8118607b9fc1f7b6aa82fd72f4fc115320d293e103dfe356706bb7c581b7
  • 366284c1a0577937c86744349ac47e6e578da500ada3deb857ff233d9851ee6b
  • 3e50f0eaf02d12653d5f757372240adcb5c16a5ab647a667637ba4c50d37aaad
  • 47849f610a30d72660b1725a0b18d78c5204257b3740641727bdcbfd1ebd466a
  • 507f413ac42df115988df498a90fc1ae610cafb66cb30a3a7de53e71ec90e7cd
  • 57f261cc442dd9a4f1cd4ffd281c9855f4f9a736abffaf539d9df2a6ea0dd409
  • 76eed1849d0a0474f9e0a58afcda2cc1ea7af316535b4b4b27ff810a162d4f8f
  • 855b2e04c323a269d3731c093f0bc80ab3497a69ab8d2967847451a87f04fb0a
  • 87134629723b2c6f4d0a74c35fdce89653471d9880b23f4faea6664ae151db0e
  • 8bcc23ec881d61839fc57e8ec7425ac5ed625425fbf265fcb53ad73a73825b18
  • 9177ba0c649f08fa6367d04091a7672fedb82215b26e08346645544f0631ebfd
  • 9246ed27032429f234888b2713529001344850c608cab9f5ab7274195d330bec
  • a487e959e59bc9500c43ac270eaf345eaf28173b07ed7dd82b2495aa19cdab88
  • ada1679a193c9b17b206b3d9ff2a19d64c6c8c5f882a321381c9d5347a8b4b3e
  • c1be6f792bd51d23d848e54cd217bdf9edcbb2b89df741190929f6fa327a10cb
  • db8ed3e6dd7e6818046e7ee1e9c6c91f98aa5ce3113b14fb1c85a50a45569b18
  • ddae8737d7cc35a87274a26b886e6b48ae947aa849c3d7ecb84de6f6d553aa96
  • efa9a303af112ffb6737846755e3a995510fd65b6ced9032dc68cd7bbe4c307d
  • 20b5c7f210320cf23a63ac7f76086a6e257dd0c248d77deff444cb3dcf624799
  • f0ee1ddb789207c2000f728f6adabbe344ded7cba0804926a7cfc53bdbbc54eb
  • f440309e372551fb6ee00ecca71a70a1b8b7e077fe61b0687411147b582ab415
  • 21a570237cdacdb8c69679e59c4dba6aa05f123f9db7470ec34e2f4024c3646b
  • 4e8bf8c770727a3b0f551adcff2716c941234708e679c868ce42532714a29d27
  • 3c0c55b4ce2d90448949980fbca1fa447832f67fb864472551513b6e4eff5304
  • 61b5b6a513be380d50282c1c8391a5362d746bd70506343d04bda3751c3b25de
  • a4d455f65bb4d2dde03a0686433b6d515c71b5655fa78b86a4f9bdae503c1295
  • c9d36fcce70893aa16a846b48009bbd8b46fc11c6821b750083a9c89669038cc
  • 04a1021d0880a4f13ed8693dfe65889a5f827fe5ee9369abbc00b58efc40e69b
  • 13eb08dda92356f21888d95a6611a46728dfcefcdf769e7edad1a70e958e5367
  • 20330ec79f6c6edce8c3d87e3340aebc60f528d3751339e57437b178b9cb914d
  • 22962d59a066795696464868700fa7d3f735bfdb494a7a879fb54668a0ca3d46
  • 2b1be3ea73921adde804b85e93817869556fa9919bf7a528639a796e27351755
  • 301be47a8fefa749d904425b43ae459249e2b44ff62051f3a5529d6222259f42
  • 410b032a8635fba6cc30f0c2049a53f93b98128388a4a7ce2c3a0bfb33591f9f
  • 43d49812cc723b3c24ca7048faa859800c7e303e074243e4348f65d34127367b
  • 47c765ad0baae96498e05e3f0984002cbce6b3f1bacd1cf238681a677c2f8036
  • 482765b55aecbf24eb102f531afb6c8905ab7a058a447d217be70984f15b4573
  • 50b7e742eea52e18cf908cd676b87c0f145ecc3ff9692b01c90c47750fe989a7
  • 70a6d43a56d267aa4fdac5a96722a2ff05e2ac1cc9ba996d173f0b3252e09898
  • 7263336f1ec49f936501c508a9edf072a81002e64e52a1ed0cafb1378bb07a2a
  • 770e7d287fe352f12757ebfbb4502b10f61001630d70ddf414157b12e1f5e9a3
  • 87f5b4385a2a87229b6c448a3b4b19a7e75fe6bc607dffc0e1f860e9e4499eca
  • adc5669dd1153111f4cc07714599145a775d8c260c1acae9c142280147d1793a
  • b80b3dae21d54eb9ccde40b9ba728ba3d45a73e0fc91adae3d7c375208631527
  • e35547cfb6ae3fe18df6d887334952e7a38cc51a230f02c7f62a5fef083de7cf
  • f570b6c46a5bb5a8757b1125c7d4b5d4aca2c7e9354ed1d34b78fd4f08280e30
  • f6aba045ca29ba39bbdcb2f8bde63efc971d138f88bf03aea2d13ddec88a0483
  • fefb4288cb41fcca85cd50653093d7b27c9c51769b03f72adf951c5a1f111ddf
  • f79273a1efb664d81f68e808b9ec963bfeb79d63bd277108863d6ae3c4801a9e
  • 24c870202b3aedfcd28a8afb93b5212b791c265abd872ef94e44401d1ca309ad
  • 417c3f327c2d8b54ec72a5a89280fecb589a3e0b89c281bbc077d7de445cc76b
  • 948416d3aeae6f31df3341118a25a4231a7eed23b3db73a022e9da70734163c9
  • 71cc196ad2103a1facd81f2b8bd985273f682019b2a88841d2f34ecc373d1d69
  • 7bdb945f2dab863a299e26ab4c6dfb1e4f7321c38fe101224252d993495bc157
  • 0bb4d022d6007fcaf1d0707b646063b4b66cf5177da6a1fc6c5d0fc217501d6f
  • 0e918ad3e7ad983ecf6c3238991c13a230acc897193e0ad360d2eeaab42bf078
  • f413dbf6764bc73ab94428831e0ce3fc0369856aa50c4f9c0f5948eac85d2d08
  • 670a96324222e6bb02bd36c7e5b100fb5d52d2d59891bd9599b1a47438ac9578
  • 9049d536e6da46b63c562197ab92f511d5f5e2883eb8bf29f72217282ae25772
  • 116d81561faa8c8a9cf4fbc947e9eee11185f3960daead8179a968dea143bfd0
  • 9984a21c06fea77e96ba410cffb99de530201ef0c74f3e8b38b3afd4fdf0b333
  • bcc80eabe068cbbe38fa37b58e67fee54af75fa9e8a1fc30d93b7d30886d05da
  • 202570439b32480e6df232977d5435be9be94822c75f89b09f571e5b03f8c9ab
  • 96b5ea21a2556486cebbed76711a8bbae42de1e97e3311213833c6567a4fbbdc
  • 35c53663294e5476315853228b4ae642f552c6c6b1253412a7f981c7ddf3d0b7
  • 8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504
  • 7d8c18056e86a3b8c32b524f9de009ced61caf463abe1bca285fa305d4b5616a
  • a2e9a2389faf04b67fbbd6fc71134860a145db7643d88ba312390493d5619302
  • 9f96e5bc9ffc9742cb10384566dc7fb232e0f0d633e643bd487b747b6e88f369
  • 71ecfddc7fe52a10bdf79c39cf9a1d911257ed0deee1bfef21386053bfe88110
  • 96e49a5ac188d49003b2fe77ad8a4c8866a94cc828dc6172d9a13a8c26e49b9b
  • 5474d15059ca4213ab1c13fba25ab8ba38559cac7ec2ab336d2411b90eab1217
  • eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5
  • 02355d3fee5e217b25f9210ad0f6bacc3807b6ef1a59aa4d428c01017dcbcf28
  • 05f9553616bb5fdbf37bd4036c210929e08d7181de898c1bea1bdae7afb0766f
  • 0c857501e3851072db666386136929c06bcf4c8d3160b41b7d82a3ce9afca1be
  • 3418a369486e9bf2b57023dc0b02cb00f12a5214fca8bae20ff93586cc8c678a
  • 363c46dfb252d7c40d9c3bb63bdc40c2eff0ce16c0c1b77f507d73058104c6e1
  • 4c17f7ee55f9bf6fa9acaeeb9574feab39ba4a3cccd4426dfa85aaf58b90ae73
  • 4d4f97f1621334e4075e0229265ac6c5da14754eff1378a7d77ea6d3821e8a33
  • 87b92fcd04f69f9c132c9f350dbb3686888a5e388b1f787f6a658f09582c0da6
  • 99e733391ac499e78e535a98551c4d27408abfad4e56fe4c46956636655df29c
  • b67bc78347918209973d633287c4e1f514a0917b8678c2cf2066ba80b2004f78
  • c6e0a5e947e9f23cd0af6fa8bd44411a12212ab1de5007036926089800ac8692
  • cb014704f53d5da64964c2b0bfc7e13bbdf389555294c6f6c98c2527f6406d6d
  • d55f6b273254d2be71991cdbdb288cc94a7bc715c4be7ad97c0e1625bc0f2696
  • d6fd4a75e32f78817f84de3dcb9e3fd767f602b7da1edecd06391ff62a481571
  • e56c525248b1f9201cddcf1802377a7157029e8935696d1a9d9169e1d0501fa4
  • e6a2575c893868e3d8ea5982699c9c2b75a07b8ec092b0cb26d7b5c3c2640f33
  • ec875c5901e28a04b199f577b16a8ba6ac8c9ab7e90bc51a5809f668882ba54f
  • b4a57b62569ee1ccb1c2dae148488dc9e37d738f0fed4f0a6e144caeb910f546
  • f9c25b4755ab54ff3f8d827b6422d43ed14dbd03fd4faa266348eee177f7957f
  • fa258b12d3f4ca1503379a4f6a800bdb1d589ef15ab8bfc20d452f70c8a0745c
  • fcc4c20c07fdf816b7cc6dfba34d42af827ecf01e9972f266ac395e54db028af
  • a19cabf8ce0a8012dedbf65855981db1efa3b9773365554401a74bfb7a45490f
  • 7f801c77fb61cc8d5c03e9fa3068163b595f5bf8c176628398bbbea5aa0a1b74
  • 63de4552312345e055236c82ecdc55c2bc8b3c37f363cb081f8f788b5203d759
  • 2478cd52847146b34cae6b768c794210838a3002a622ce61c2f90d075f6e0e65
  • c5646cc9fe486f0644067fc294f83eb6a39ce6f28eea3708c9bf49e244acc0f9
  • fc99e6083b1dcbe72fb818dbd53903f30c312731f2cfc8607f9d2bf2586be1ee
Tags:

1 thought on “DotRunpeX – Malware Injector Spreads in Wild

  1. Pingback: DotRunpeX – Malware Injector Spreads in Wild - YodaSec Expose

Leave a Reply

You may have missed

Mirai Bots Targeting IoT Devices

Mirai Bots Targeting IoT Devices

May 30, 2023
Watering hole attack from Tortoiseshell group

Watering hole attack from Tortoiseshell group

May 29, 2023
New TLD Based Phishing Campaign

New TLD Based Phishing Campaign

May 29, 2023
CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
%d bloggers like this: