December 5, 2023

Researchers has released a report about a new malware called dotRunpeX is being developed to distribute variously known malware families, such as BitRAT, Agent Tesla, and LokiBot.

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families. It has become a preferred tool for cybercriminals due to its ease of use and ability to bypass security measures. It is a second-stage malware in the infection chain, often transmitted through phishing emails or malicious Google Ads.

The most recent version of dotRunpeX, first detected in October 2022, has added an extra layer of obfuscation to evade detection. The malware now employs the KoiVM virtualizing protector, which makes it even more challenging to identify the threat.

Advertisements

In addition to phishing emails, dotRunpeX is known to use malicious Google Ads on search result pages to lure unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. This technique, called “search engine result page (SERP) poisoning,” aims to manipulate search engine rankings to deliver malicious links to users.

The dotRunpeX malware uses a vulnerable process explorer driver (procexp.sys) to obtain kernel mode execution, allowing it to inject various malware families into systems undetected.

The analysis has revealed two concerning things:

  • Each dotRunpeX sample comes embedded with a specific payload of malware to be injected into the victim’s system.
  • The injector also specifies a list of anti-malware processes to be terminated to avoid detection.

dotRunpeX is suspected to be affiliated with Russian-speaking actors. The malware campaign was documented after a malvertising campaign previously revealed by Sentinel One. The campaign documented by Sentinel One involved the loader and injector components collectively called “MalVirt.”

The dotRunpeX malware campaign has been delivering a range of malware families, including RedLine, Raccoon, Vidar, Agent Tesla, and FormBook. The use of these malware families suggests that the actors behind the campaign are focused on information theft, as these families are known for stealing sensitive information such as login credentials, banking information, and personal data.

This research was documented by researchers from Check Point Researchers

Advertisements

Indicators of Compromise -Hashes

  • 1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc
  • 68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326
  • 317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc
  • 65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b
  • 81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e
  • 0e11704fcc3c36832ba98b80ea44a3013660d1ed3fb48158b982fed9f9050391
  • 0f9e27ec1ed021fd7375ca46f233c06b354d12d57aed44132208cd9308bfee11
  • 881a337aa85a4b01c08706ab941573c5dc9b76ea0e4e1c2693a9b4aa4453ec8c
  • feae44d8927dd41feaed997b3dbf7b41933496d6285b79554b83e72ae8a045c4
  • 1c1fcc4133af77f07d0c0299d0320aa9f447748ebead74b429f73c44d950e38b
  • 35c11f7315d2e5d04d783de4314d8cde2def382f1e3fc49ccc555337c54d63cc
  • 4068637c121888476533a3bbb16bec6bc3b4f81f7b9de635ef3576d56dc54c75
  • 40df5a6e6dcadbe576ce4a8b01cfb82bf3f56a87bae674200e60814eab666c6d
  • 8a0d6e40e545d40956194230f03608859f2a47420a9b11b199142641bc6419ee
  • 7c3803c09a0370aa6484d8ad2f5690b96212d98e45fc8f9cb6022f87dff637fc
  • 93e2ea6f021951369028b73637d9558c8baf3c99d9de1a2a60c1461cb9d571bf
  • d95298befdde567b31571d16f327840fa0f0dd9c54bf876531820910418a52b6
  • 149af913afd7eb2773386d14e88a46449cbc9096e0748cfbaa2e061b59525bf0
  • a73f134ab62a5c23a8c8bafabbfbd5e0408c826ba5418488639724708ec5ef28
  • aca4d6278f31f374262e0388d16ee6fdcdbbad8257374f1feaabf75b0ec23157
  • 50451fda27fd8569c7b32bfe82197b82a8637cac928164e1b091a389060e957e
  • 9ed8eeb1db8909c96a958d91213093d2488dc172a8d22ba62657b9bfeb044fec
  • 6c08c0654726c2f793b5191d5e7c74fdf3a2461118a45aa8527a0a30e3f256fd
  • 283cd48dc1368b6852c2f3168bf7a78ad593df010d9a67ed1c938508da5de783
  • b019a0535ca7466d7884825542ac6910fe037913118e1136dcac7e9ef3dc0dc9
  • b1c9b356c50230629c4697b0527fd7a0fa8d6f0e8342a1eb5b5a4f90d8f0eb86
  • 5bbd9513f0872d23ca43dd553a63a12882be274fef983fab427721257d60eaec
  • 9d9940b60809e3c10cd4540f8e589626a293244a999bea16c259f9712969a742
  • cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db
  • cddf8b8da972cb2e560c70d01366f582445441864fcff884b8194eb6c21a768c
  • 6c367333c677c2268df9deaff6ad4e711e73e53504aa1aa845bebfbfe635f1d2
  • 5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80
  • 244f2d4f3c34d00babef5f1765e91c0abda9dbd1d131fc93ecb48c91ecc801a8
  • 95793df9284fe35c0491e5cfa36bc8f49fd426ccdf35f5fe2f098e07d160a4dc
  • 55ee7efcb3d1d2e0eac0ecadd651d6a299de82d94347ef9862bc981ae619532b
  • 13081992c0ef5c52c2b6224f3ff1ab38160bca9424e7c0470e0c175c920bdc9d
  • 0daef2c2bf086312037ebc91beec0302a7e4d1750f260d02bf815bd13c611559
  • 331ad58c524100da7e459e5c3943e970414617f60b3ed0f1a74f3bf189aafea7
  • 44a11146173db0663a23787bffbb120f3955bc33e60e73ecc798953e9b34b2f2
  • 03fcbab82603df2858f7d6fefdb6ae3cc8e17393af6d44f24634d28fccf3f181
  • 373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232
  • 50ec8a9e59e1bcb0a41477e20f5bb809a80329d56e20cf99e93d756b9e0ceefc
  • 41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636
  • 76e129552a30fa5c914d9f946f40b2ec2bbbbeb4e5e2f324e70455725030e157
  • 8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591
  • ae4f3b6c43d5ea8ee68d862362d4e8d7b317889eb9abead948a9b791ad9d7071
  • b4c876d1797efbef614b44e52482c835c32e8ee020975a30fa2d25ed9cf8aa2b
  • d5eda02ff2f05d1e0d06a69018de463ab36497048a1ef2b69af93aa76ccfc07d
  • fa3a9fc2adf9d1ca812e0951e21bf72ba3ec9ceb1c0cf0bfc0171b6d4adadf83
  • 1f2ffabb3b89e6083ca5de70f5d718295c7a633c2d957da7c4469de059efde2c
  • bd133efea4b865f42eb05e0c92e3ab3b58ac087c0682ea9112b96596a7111ff6
  • e6da2d860bd2d0e8b56737b4c8c47cdeea78a404cd0d6fa5a26cbb5ac7682d1d
  • d87a200a26d07a64272e93fb3ae8f8d9e4d34bdfedb0cf7c685a6c97912e967f
  • 7120cf1ad3fdcae7ba6956749a8988e8181837a05948b432cec6ae11229b1d12
  • 304847c69875ec59995fbb453f8d1106f80c5eb380ae6b8676e76f5372290194
  • 25fbe0ff3274b4bc981fa6ec0459e9b95cec6397194e10ea6287bf4b899a9b07
  • 1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8
  • 75236a06aadafc69cc5aa8032468869fb868a9a100b687f19c66be03410c2487
  • ee0d55b9a2d03c5bea9f69f98b042ab7b3064366f335a8a53096387876bf48d7
  • 8de23e90bac05911cbfb6b036c6808ce7c244e4e875cb7edcdb90f75e89e5476
  • 10bbfa36ddd8ea6038e2071320ee84f7a9208a5be3a4dda448e83393cdf39a4d
  • ff72f619907a25f3d99f0c3aa84710c6ff6cb4c3fd8ebad14f85f96c6da49222
  • 242e1c82269725c01108e52376be8ddad39ab29da49356d10e527af6d78058f5
  • ae4d2054a6e1f9ba2c269eace61aac7259adb0645d18da82779717d83174837d
  • bf7b127b1bb81b68439851386cd3d1600bb8b9ec56135e668a88062d913410dd
  • b8bb071899ae7bd16a328c0998b3cd40261d61e564ac77f9bf3e495fab0ad267
  • 17af8118607b9fc1f7b6aa82fd72f4fc115320d293e103dfe356706bb7c581b7
  • 366284c1a0577937c86744349ac47e6e578da500ada3deb857ff233d9851ee6b
  • 3e50f0eaf02d12653d5f757372240adcb5c16a5ab647a667637ba4c50d37aaad
  • 47849f610a30d72660b1725a0b18d78c5204257b3740641727bdcbfd1ebd466a
  • 507f413ac42df115988df498a90fc1ae610cafb66cb30a3a7de53e71ec90e7cd
  • 57f261cc442dd9a4f1cd4ffd281c9855f4f9a736abffaf539d9df2a6ea0dd409
  • 76eed1849d0a0474f9e0a58afcda2cc1ea7af316535b4b4b27ff810a162d4f8f
  • 855b2e04c323a269d3731c093f0bc80ab3497a69ab8d2967847451a87f04fb0a
  • 87134629723b2c6f4d0a74c35fdce89653471d9880b23f4faea6664ae151db0e
  • 8bcc23ec881d61839fc57e8ec7425ac5ed625425fbf265fcb53ad73a73825b18
  • 9177ba0c649f08fa6367d04091a7672fedb82215b26e08346645544f0631ebfd
  • 9246ed27032429f234888b2713529001344850c608cab9f5ab7274195d330bec
  • a487e959e59bc9500c43ac270eaf345eaf28173b07ed7dd82b2495aa19cdab88
  • ada1679a193c9b17b206b3d9ff2a19d64c6c8c5f882a321381c9d5347a8b4b3e
  • c1be6f792bd51d23d848e54cd217bdf9edcbb2b89df741190929f6fa327a10cb
  • db8ed3e6dd7e6818046e7ee1e9c6c91f98aa5ce3113b14fb1c85a50a45569b18
  • ddae8737d7cc35a87274a26b886e6b48ae947aa849c3d7ecb84de6f6d553aa96
  • efa9a303af112ffb6737846755e3a995510fd65b6ced9032dc68cd7bbe4c307d
  • 20b5c7f210320cf23a63ac7f76086a6e257dd0c248d77deff444cb3dcf624799
  • f0ee1ddb789207c2000f728f6adabbe344ded7cba0804926a7cfc53bdbbc54eb
  • f440309e372551fb6ee00ecca71a70a1b8b7e077fe61b0687411147b582ab415
  • 21a570237cdacdb8c69679e59c4dba6aa05f123f9db7470ec34e2f4024c3646b
  • 4e8bf8c770727a3b0f551adcff2716c941234708e679c868ce42532714a29d27
  • 3c0c55b4ce2d90448949980fbca1fa447832f67fb864472551513b6e4eff5304
  • 61b5b6a513be380d50282c1c8391a5362d746bd70506343d04bda3751c3b25de
  • a4d455f65bb4d2dde03a0686433b6d515c71b5655fa78b86a4f9bdae503c1295
  • c9d36fcce70893aa16a846b48009bbd8b46fc11c6821b750083a9c89669038cc
  • 04a1021d0880a4f13ed8693dfe65889a5f827fe5ee9369abbc00b58efc40e69b
  • 13eb08dda92356f21888d95a6611a46728dfcefcdf769e7edad1a70e958e5367
  • 20330ec79f6c6edce8c3d87e3340aebc60f528d3751339e57437b178b9cb914d
  • 22962d59a066795696464868700fa7d3f735bfdb494a7a879fb54668a0ca3d46
  • 2b1be3ea73921adde804b85e93817869556fa9919bf7a528639a796e27351755
  • 301be47a8fefa749d904425b43ae459249e2b44ff62051f3a5529d6222259f42
  • 410b032a8635fba6cc30f0c2049a53f93b98128388a4a7ce2c3a0bfb33591f9f
  • 43d49812cc723b3c24ca7048faa859800c7e303e074243e4348f65d34127367b
  • 47c765ad0baae96498e05e3f0984002cbce6b3f1bacd1cf238681a677c2f8036
  • 482765b55aecbf24eb102f531afb6c8905ab7a058a447d217be70984f15b4573
  • 50b7e742eea52e18cf908cd676b87c0f145ecc3ff9692b01c90c47750fe989a7
  • 70a6d43a56d267aa4fdac5a96722a2ff05e2ac1cc9ba996d173f0b3252e09898
  • 7263336f1ec49f936501c508a9edf072a81002e64e52a1ed0cafb1378bb07a2a
  • 770e7d287fe352f12757ebfbb4502b10f61001630d70ddf414157b12e1f5e9a3
  • 87f5b4385a2a87229b6c448a3b4b19a7e75fe6bc607dffc0e1f860e9e4499eca
  • adc5669dd1153111f4cc07714599145a775d8c260c1acae9c142280147d1793a
  • b80b3dae21d54eb9ccde40b9ba728ba3d45a73e0fc91adae3d7c375208631527
  • e35547cfb6ae3fe18df6d887334952e7a38cc51a230f02c7f62a5fef083de7cf
  • f570b6c46a5bb5a8757b1125c7d4b5d4aca2c7e9354ed1d34b78fd4f08280e30
  • f6aba045ca29ba39bbdcb2f8bde63efc971d138f88bf03aea2d13ddec88a0483
  • fefb4288cb41fcca85cd50653093d7b27c9c51769b03f72adf951c5a1f111ddf
  • f79273a1efb664d81f68e808b9ec963bfeb79d63bd277108863d6ae3c4801a9e
  • 24c870202b3aedfcd28a8afb93b5212b791c265abd872ef94e44401d1ca309ad
  • 417c3f327c2d8b54ec72a5a89280fecb589a3e0b89c281bbc077d7de445cc76b
  • 948416d3aeae6f31df3341118a25a4231a7eed23b3db73a022e9da70734163c9
  • 71cc196ad2103a1facd81f2b8bd985273f682019b2a88841d2f34ecc373d1d69
  • 7bdb945f2dab863a299e26ab4c6dfb1e4f7321c38fe101224252d993495bc157
  • 0bb4d022d6007fcaf1d0707b646063b4b66cf5177da6a1fc6c5d0fc217501d6f
  • 0e918ad3e7ad983ecf6c3238991c13a230acc897193e0ad360d2eeaab42bf078
  • f413dbf6764bc73ab94428831e0ce3fc0369856aa50c4f9c0f5948eac85d2d08
  • 670a96324222e6bb02bd36c7e5b100fb5d52d2d59891bd9599b1a47438ac9578
  • 9049d536e6da46b63c562197ab92f511d5f5e2883eb8bf29f72217282ae25772
  • 116d81561faa8c8a9cf4fbc947e9eee11185f3960daead8179a968dea143bfd0
  • 9984a21c06fea77e96ba410cffb99de530201ef0c74f3e8b38b3afd4fdf0b333
  • bcc80eabe068cbbe38fa37b58e67fee54af75fa9e8a1fc30d93b7d30886d05da
  • 202570439b32480e6df232977d5435be9be94822c75f89b09f571e5b03f8c9ab
  • 96b5ea21a2556486cebbed76711a8bbae42de1e97e3311213833c6567a4fbbdc
  • 35c53663294e5476315853228b4ae642f552c6c6b1253412a7f981c7ddf3d0b7
  • 8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504
  • 7d8c18056e86a3b8c32b524f9de009ced61caf463abe1bca285fa305d4b5616a
  • a2e9a2389faf04b67fbbd6fc71134860a145db7643d88ba312390493d5619302
  • 9f96e5bc9ffc9742cb10384566dc7fb232e0f0d633e643bd487b747b6e88f369
  • 71ecfddc7fe52a10bdf79c39cf9a1d911257ed0deee1bfef21386053bfe88110
  • 96e49a5ac188d49003b2fe77ad8a4c8866a94cc828dc6172d9a13a8c26e49b9b
  • 5474d15059ca4213ab1c13fba25ab8ba38559cac7ec2ab336d2411b90eab1217
  • eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5
  • 02355d3fee5e217b25f9210ad0f6bacc3807b6ef1a59aa4d428c01017dcbcf28
  • 05f9553616bb5fdbf37bd4036c210929e08d7181de898c1bea1bdae7afb0766f
  • 0c857501e3851072db666386136929c06bcf4c8d3160b41b7d82a3ce9afca1be
  • 3418a369486e9bf2b57023dc0b02cb00f12a5214fca8bae20ff93586cc8c678a
  • 363c46dfb252d7c40d9c3bb63bdc40c2eff0ce16c0c1b77f507d73058104c6e1
  • 4c17f7ee55f9bf6fa9acaeeb9574feab39ba4a3cccd4426dfa85aaf58b90ae73
  • 4d4f97f1621334e4075e0229265ac6c5da14754eff1378a7d77ea6d3821e8a33
  • 87b92fcd04f69f9c132c9f350dbb3686888a5e388b1f787f6a658f09582c0da6
  • 99e733391ac499e78e535a98551c4d27408abfad4e56fe4c46956636655df29c
  • b67bc78347918209973d633287c4e1f514a0917b8678c2cf2066ba80b2004f78
  • c6e0a5e947e9f23cd0af6fa8bd44411a12212ab1de5007036926089800ac8692
  • cb014704f53d5da64964c2b0bfc7e13bbdf389555294c6f6c98c2527f6406d6d
  • d55f6b273254d2be71991cdbdb288cc94a7bc715c4be7ad97c0e1625bc0f2696
  • d6fd4a75e32f78817f84de3dcb9e3fd767f602b7da1edecd06391ff62a481571
  • e56c525248b1f9201cddcf1802377a7157029e8935696d1a9d9169e1d0501fa4
  • e6a2575c893868e3d8ea5982699c9c2b75a07b8ec092b0cb26d7b5c3c2640f33
  • ec875c5901e28a04b199f577b16a8ba6ac8c9ab7e90bc51a5809f668882ba54f
  • b4a57b62569ee1ccb1c2dae148488dc9e37d738f0fed4f0a6e144caeb910f546
  • f9c25b4755ab54ff3f8d827b6422d43ed14dbd03fd4faa266348eee177f7957f
  • fa258b12d3f4ca1503379a4f6a800bdb1d589ef15ab8bfc20d452f70c8a0745c
  • fcc4c20c07fdf816b7cc6dfba34d42af827ecf01e9972f266ac395e54db028af
  • a19cabf8ce0a8012dedbf65855981db1efa3b9773365554401a74bfb7a45490f
  • 7f801c77fb61cc8d5c03e9fa3068163b595f5bf8c176628398bbbea5aa0a1b74
  • 63de4552312345e055236c82ecdc55c2bc8b3c37f363cb081f8f788b5203d759
  • 2478cd52847146b34cae6b768c794210838a3002a622ce61c2f90d075f6e0e65
  • c5646cc9fe486f0644067fc294f83eb6a39ce6f28eea3708c9bf49e244acc0f9
  • fc99e6083b1dcbe72fb818dbd53903f30c312731f2cfc8607f9d2bf2586be1ee
Tags:

1 thought on “DotRunpeX – Malware Injector Spreads in Wild

  1. Pingback: DotRunpeX – Malware Injector Spreads in Wild - YodaSec Expose

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

DanaBot Trojan Deploying Cactus Ransomware

December 4, 2023

LogoFAIL Firmware Attack

December 3, 2023

Proliance Surgeons Discloses a Data Breach

December 3, 2023

23andMe Breach affected 14K Customers

December 3, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – November, 2023

December 2, 2023

Staples affected by a Cyber Attack

December 2, 2023
%d