May 31, 2023

Researchers has released a report about a new malware called dotRunpeX is being developed to distribute variously known malware families, such as BitRAT, Agent Tesla, and LokiBot.

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families. It has become a preferred tool for cybercriminals due to its ease of use and ability to bypass security measures. It is a second-stage malware in the infection chain, often transmitted through phishing emails or malicious Google Ads.

The most recent version of dotRunpeX, first detected in October 2022, has added an extra layer of obfuscation to evade detection. The malware now employs the KoiVM virtualizing protector, which makes it even more challenging to identify the threat.

Advertisements

In addition to phishing emails, dotRunpeX is known to use malicious Google Ads on search result pages to lure unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. This technique, called “search engine result page (SERP) poisoning,” aims to manipulate search engine rankings to deliver malicious links to users.

The dotRunpeX malware uses a vulnerable process explorer driver (procexp.sys) to obtain kernel mode execution, allowing it to inject various malware families into systems undetected.

The analysis has revealed two concerning things:

  • Each dotRunpeX sample comes embedded with a specific payload of malware to be injected into the victim’s system.
  • The injector also specifies a list of anti-malware processes to be terminated to avoid detection.

dotRunpeX is suspected to be affiliated with Russian-speaking actors. The malware campaign was documented after a malvertising campaign previously revealed by Sentinel One. The campaign documented by Sentinel One involved the loader and injector components collectively called “MalVirt.”

The dotRunpeX malware campaign has been delivering a range of malware families, including RedLine, Raccoon, Vidar, Agent Tesla, and FormBook. The use of these malware families suggests that the actors behind the campaign are focused on information theft, as these families are known for stealing sensitive information such as login credentials, banking information, and personal data.

This research was documented by researchers from Check Point Researchers

Advertisements

Indicators of Compromise -Hashes

  • 1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc
  • 68ae2ee5ed7e793c1a49cbf1b0dd7f5a3de9cb783b51b0953880994a79037326
  • 317e6817bba0f54e1547dd9acf24ee17a4cda1b97328cc69dc1ec16e11c258fc
  • 65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b
  • 81763d8e3b42d07d76b0a74eda4e759981971635d62072c8da91251fc849b91e
  • 0e11704fcc3c36832ba98b80ea44a3013660d1ed3fb48158b982fed9f9050391
  • 0f9e27ec1ed021fd7375ca46f233c06b354d12d57aed44132208cd9308bfee11
  • 881a337aa85a4b01c08706ab941573c5dc9b76ea0e4e1c2693a9b4aa4453ec8c
  • feae44d8927dd41feaed997b3dbf7b41933496d6285b79554b83e72ae8a045c4
  • 1c1fcc4133af77f07d0c0299d0320aa9f447748ebead74b429f73c44d950e38b
  • 35c11f7315d2e5d04d783de4314d8cde2def382f1e3fc49ccc555337c54d63cc
  • 4068637c121888476533a3bbb16bec6bc3b4f81f7b9de635ef3576d56dc54c75
  • 40df5a6e6dcadbe576ce4a8b01cfb82bf3f56a87bae674200e60814eab666c6d
  • 8a0d6e40e545d40956194230f03608859f2a47420a9b11b199142641bc6419ee
  • 7c3803c09a0370aa6484d8ad2f5690b96212d98e45fc8f9cb6022f87dff637fc
  • 93e2ea6f021951369028b73637d9558c8baf3c99d9de1a2a60c1461cb9d571bf
  • d95298befdde567b31571d16f327840fa0f0dd9c54bf876531820910418a52b6
  • 149af913afd7eb2773386d14e88a46449cbc9096e0748cfbaa2e061b59525bf0
  • a73f134ab62a5c23a8c8bafabbfbd5e0408c826ba5418488639724708ec5ef28
  • aca4d6278f31f374262e0388d16ee6fdcdbbad8257374f1feaabf75b0ec23157
  • 50451fda27fd8569c7b32bfe82197b82a8637cac928164e1b091a389060e957e
  • 9ed8eeb1db8909c96a958d91213093d2488dc172a8d22ba62657b9bfeb044fec
  • 6c08c0654726c2f793b5191d5e7c74fdf3a2461118a45aa8527a0a30e3f256fd
  • 283cd48dc1368b6852c2f3168bf7a78ad593df010d9a67ed1c938508da5de783
  • b019a0535ca7466d7884825542ac6910fe037913118e1136dcac7e9ef3dc0dc9
  • b1c9b356c50230629c4697b0527fd7a0fa8d6f0e8342a1eb5b5a4f90d8f0eb86
  • 5bbd9513f0872d23ca43dd553a63a12882be274fef983fab427721257d60eaec
  • 9d9940b60809e3c10cd4540f8e589626a293244a999bea16c259f9712969a742
  • cd4c821e329ec1f7bfe7ecd39a6020867348b722e8c84a05c7eb32f8d5a2f4db
  • cddf8b8da972cb2e560c70d01366f582445441864fcff884b8194eb6c21a768c
  • 6c367333c677c2268df9deaff6ad4e711e73e53504aa1aa845bebfbfe635f1d2
  • 5e3588e8ddebd61c2bd6dab4b87f601bd6a4857b33eb281cb5059c29cfe62b80
  • 244f2d4f3c34d00babef5f1765e91c0abda9dbd1d131fc93ecb48c91ecc801a8
  • 95793df9284fe35c0491e5cfa36bc8f49fd426ccdf35f5fe2f098e07d160a4dc
  • 55ee7efcb3d1d2e0eac0ecadd651d6a299de82d94347ef9862bc981ae619532b
  • 13081992c0ef5c52c2b6224f3ff1ab38160bca9424e7c0470e0c175c920bdc9d
  • 0daef2c2bf086312037ebc91beec0302a7e4d1750f260d02bf815bd13c611559
  • 331ad58c524100da7e459e5c3943e970414617f60b3ed0f1a74f3bf189aafea7
  • 44a11146173db0663a23787bffbb120f3955bc33e60e73ecc798953e9b34b2f2
  • 03fcbab82603df2858f7d6fefdb6ae3cc8e17393af6d44f24634d28fccf3f181
  • 373a86e36f7e808a1db263b4b49d2428df4a13686da7d77edba7a6dd63790232
  • 50ec8a9e59e1bcb0a41477e20f5bb809a80329d56e20cf99e93d756b9e0ceefc
  • 41ea8f9a9f2a7aeb086dedf8e5855b0409f31e7793cbba615ca0498e47a72636
  • 76e129552a30fa5c914d9f946f40b2ec2bbbbeb4e5e2f324e70455725030e157
  • 8fa81f6341b342afa40b7dc76dd6e0a1874583d12ea04acf839251cb5ca61591
  • ae4f3b6c43d5ea8ee68d862362d4e8d7b317889eb9abead948a9b791ad9d7071
  • b4c876d1797efbef614b44e52482c835c32e8ee020975a30fa2d25ed9cf8aa2b
  • d5eda02ff2f05d1e0d06a69018de463ab36497048a1ef2b69af93aa76ccfc07d
  • fa3a9fc2adf9d1ca812e0951e21bf72ba3ec9ceb1c0cf0bfc0171b6d4adadf83
  • 1f2ffabb3b89e6083ca5de70f5d718295c7a633c2d957da7c4469de059efde2c
  • bd133efea4b865f42eb05e0c92e3ab3b58ac087c0682ea9112b96596a7111ff6
  • e6da2d860bd2d0e8b56737b4c8c47cdeea78a404cd0d6fa5a26cbb5ac7682d1d
  • d87a200a26d07a64272e93fb3ae8f8d9e4d34bdfedb0cf7c685a6c97912e967f
  • 7120cf1ad3fdcae7ba6956749a8988e8181837a05948b432cec6ae11229b1d12
  • 304847c69875ec59995fbb453f8d1106f80c5eb380ae6b8676e76f5372290194
  • 25fbe0ff3274b4bc981fa6ec0459e9b95cec6397194e10ea6287bf4b899a9b07
  • 1bc7fc0a4796f7780223b4f0bf8d6816b3721f0b52eedc0df9a32dc4ea4829e8
  • 75236a06aadafc69cc5aa8032468869fb868a9a100b687f19c66be03410c2487
  • ee0d55b9a2d03c5bea9f69f98b042ab7b3064366f335a8a53096387876bf48d7
  • 8de23e90bac05911cbfb6b036c6808ce7c244e4e875cb7edcdb90f75e89e5476
  • 10bbfa36ddd8ea6038e2071320ee84f7a9208a5be3a4dda448e83393cdf39a4d
  • ff72f619907a25f3d99f0c3aa84710c6ff6cb4c3fd8ebad14f85f96c6da49222
  • 242e1c82269725c01108e52376be8ddad39ab29da49356d10e527af6d78058f5
  • ae4d2054a6e1f9ba2c269eace61aac7259adb0645d18da82779717d83174837d
  • bf7b127b1bb81b68439851386cd3d1600bb8b9ec56135e668a88062d913410dd
  • b8bb071899ae7bd16a328c0998b3cd40261d61e564ac77f9bf3e495fab0ad267
  • 17af8118607b9fc1f7b6aa82fd72f4fc115320d293e103dfe356706bb7c581b7
  • 366284c1a0577937c86744349ac47e6e578da500ada3deb857ff233d9851ee6b
  • 3e50f0eaf02d12653d5f757372240adcb5c16a5ab647a667637ba4c50d37aaad
  • 47849f610a30d72660b1725a0b18d78c5204257b3740641727bdcbfd1ebd466a
  • 507f413ac42df115988df498a90fc1ae610cafb66cb30a3a7de53e71ec90e7cd
  • 57f261cc442dd9a4f1cd4ffd281c9855f4f9a736abffaf539d9df2a6ea0dd409
  • 76eed1849d0a0474f9e0a58afcda2cc1ea7af316535b4b4b27ff810a162d4f8f
  • 855b2e04c323a269d3731c093f0bc80ab3497a69ab8d2967847451a87f04fb0a
  • 87134629723b2c6f4d0a74c35fdce89653471d9880b23f4faea6664ae151db0e
  • 8bcc23ec881d61839fc57e8ec7425ac5ed625425fbf265fcb53ad73a73825b18
  • 9177ba0c649f08fa6367d04091a7672fedb82215b26e08346645544f0631ebfd
  • 9246ed27032429f234888b2713529001344850c608cab9f5ab7274195d330bec
  • a487e959e59bc9500c43ac270eaf345eaf28173b07ed7dd82b2495aa19cdab88
  • ada1679a193c9b17b206b3d9ff2a19d64c6c8c5f882a321381c9d5347a8b4b3e
  • c1be6f792bd51d23d848e54cd217bdf9edcbb2b89df741190929f6fa327a10cb
  • db8ed3e6dd7e6818046e7ee1e9c6c91f98aa5ce3113b14fb1c85a50a45569b18
  • ddae8737d7cc35a87274a26b886e6b48ae947aa849c3d7ecb84de6f6d553aa96
  • efa9a303af112ffb6737846755e3a995510fd65b6ced9032dc68cd7bbe4c307d
  • 20b5c7f210320cf23a63ac7f76086a6e257dd0c248d77deff444cb3dcf624799
  • f0ee1ddb789207c2000f728f6adabbe344ded7cba0804926a7cfc53bdbbc54eb
  • f440309e372551fb6ee00ecca71a70a1b8b7e077fe61b0687411147b582ab415
  • 21a570237cdacdb8c69679e59c4dba6aa05f123f9db7470ec34e2f4024c3646b
  • 4e8bf8c770727a3b0f551adcff2716c941234708e679c868ce42532714a29d27
  • 3c0c55b4ce2d90448949980fbca1fa447832f67fb864472551513b6e4eff5304
  • 61b5b6a513be380d50282c1c8391a5362d746bd70506343d04bda3751c3b25de
  • a4d455f65bb4d2dde03a0686433b6d515c71b5655fa78b86a4f9bdae503c1295
  • c9d36fcce70893aa16a846b48009bbd8b46fc11c6821b750083a9c89669038cc
  • 04a1021d0880a4f13ed8693dfe65889a5f827fe5ee9369abbc00b58efc40e69b
  • 13eb08dda92356f21888d95a6611a46728dfcefcdf769e7edad1a70e958e5367
  • 20330ec79f6c6edce8c3d87e3340aebc60f528d3751339e57437b178b9cb914d
  • 22962d59a066795696464868700fa7d3f735bfdb494a7a879fb54668a0ca3d46
  • 2b1be3ea73921adde804b85e93817869556fa9919bf7a528639a796e27351755
  • 301be47a8fefa749d904425b43ae459249e2b44ff62051f3a5529d6222259f42
  • 410b032a8635fba6cc30f0c2049a53f93b98128388a4a7ce2c3a0bfb33591f9f
  • 43d49812cc723b3c24ca7048faa859800c7e303e074243e4348f65d34127367b
  • 47c765ad0baae96498e05e3f0984002cbce6b3f1bacd1cf238681a677c2f8036
  • 482765b55aecbf24eb102f531afb6c8905ab7a058a447d217be70984f15b4573
  • 50b7e742eea52e18cf908cd676b87c0f145ecc3ff9692b01c90c47750fe989a7
  • 70a6d43a56d267aa4fdac5a96722a2ff05e2ac1cc9ba996d173f0b3252e09898
  • 7263336f1ec49f936501c508a9edf072a81002e64e52a1ed0cafb1378bb07a2a
  • 770e7d287fe352f12757ebfbb4502b10f61001630d70ddf414157b12e1f5e9a3
  • 87f5b4385a2a87229b6c448a3b4b19a7e75fe6bc607dffc0e1f860e9e4499eca
  • adc5669dd1153111f4cc07714599145a775d8c260c1acae9c142280147d1793a
  • b80b3dae21d54eb9ccde40b9ba728ba3d45a73e0fc91adae3d7c375208631527
  • e35547cfb6ae3fe18df6d887334952e7a38cc51a230f02c7f62a5fef083de7cf
  • f570b6c46a5bb5a8757b1125c7d4b5d4aca2c7e9354ed1d34b78fd4f08280e30
  • f6aba045ca29ba39bbdcb2f8bde63efc971d138f88bf03aea2d13ddec88a0483
  • fefb4288cb41fcca85cd50653093d7b27c9c51769b03f72adf951c5a1f111ddf
  • f79273a1efb664d81f68e808b9ec963bfeb79d63bd277108863d6ae3c4801a9e
  • 24c870202b3aedfcd28a8afb93b5212b791c265abd872ef94e44401d1ca309ad
  • 417c3f327c2d8b54ec72a5a89280fecb589a3e0b89c281bbc077d7de445cc76b
  • 948416d3aeae6f31df3341118a25a4231a7eed23b3db73a022e9da70734163c9
  • 71cc196ad2103a1facd81f2b8bd985273f682019b2a88841d2f34ecc373d1d69
  • 7bdb945f2dab863a299e26ab4c6dfb1e4f7321c38fe101224252d993495bc157
  • 0bb4d022d6007fcaf1d0707b646063b4b66cf5177da6a1fc6c5d0fc217501d6f
  • 0e918ad3e7ad983ecf6c3238991c13a230acc897193e0ad360d2eeaab42bf078
  • f413dbf6764bc73ab94428831e0ce3fc0369856aa50c4f9c0f5948eac85d2d08
  • 670a96324222e6bb02bd36c7e5b100fb5d52d2d59891bd9599b1a47438ac9578
  • 9049d536e6da46b63c562197ab92f511d5f5e2883eb8bf29f72217282ae25772
  • 116d81561faa8c8a9cf4fbc947e9eee11185f3960daead8179a968dea143bfd0
  • 9984a21c06fea77e96ba410cffb99de530201ef0c74f3e8b38b3afd4fdf0b333
  • bcc80eabe068cbbe38fa37b58e67fee54af75fa9e8a1fc30d93b7d30886d05da
  • 202570439b32480e6df232977d5435be9be94822c75f89b09f571e5b03f8c9ab
  • 96b5ea21a2556486cebbed76711a8bbae42de1e97e3311213833c6567a4fbbdc
  • 35c53663294e5476315853228b4ae642f552c6c6b1253412a7f981c7ddf3d0b7
  • 8c451b84d9579b625a7821ad7ddcb87bdd665a9e6619eaecf6ab93cd190cf504
  • 7d8c18056e86a3b8c32b524f9de009ced61caf463abe1bca285fa305d4b5616a
  • a2e9a2389faf04b67fbbd6fc71134860a145db7643d88ba312390493d5619302
  • 9f96e5bc9ffc9742cb10384566dc7fb232e0f0d633e643bd487b747b6e88f369
  • 71ecfddc7fe52a10bdf79c39cf9a1d911257ed0deee1bfef21386053bfe88110
  • 96e49a5ac188d49003b2fe77ad8a4c8866a94cc828dc6172d9a13a8c26e49b9b
  • 5474d15059ca4213ab1c13fba25ab8ba38559cac7ec2ab336d2411b90eab1217
  • eb2e2ac0f5f51d90fe90b63c3c385af155b2fee30bc3dc6309776b90c21320f5
  • 02355d3fee5e217b25f9210ad0f6bacc3807b6ef1a59aa4d428c01017dcbcf28
  • 05f9553616bb5fdbf37bd4036c210929e08d7181de898c1bea1bdae7afb0766f
  • 0c857501e3851072db666386136929c06bcf4c8d3160b41b7d82a3ce9afca1be
  • 3418a369486e9bf2b57023dc0b02cb00f12a5214fca8bae20ff93586cc8c678a
  • 363c46dfb252d7c40d9c3bb63bdc40c2eff0ce16c0c1b77f507d73058104c6e1
  • 4c17f7ee55f9bf6fa9acaeeb9574feab39ba4a3cccd4426dfa85aaf58b90ae73
  • 4d4f97f1621334e4075e0229265ac6c5da14754eff1378a7d77ea6d3821e8a33
  • 87b92fcd04f69f9c132c9f350dbb3686888a5e388b1f787f6a658f09582c0da6
  • 99e733391ac499e78e535a98551c4d27408abfad4e56fe4c46956636655df29c
  • b67bc78347918209973d633287c4e1f514a0917b8678c2cf2066ba80b2004f78
  • c6e0a5e947e9f23cd0af6fa8bd44411a12212ab1de5007036926089800ac8692
  • cb014704f53d5da64964c2b0bfc7e13bbdf389555294c6f6c98c2527f6406d6d
  • d55f6b273254d2be71991cdbdb288cc94a7bc715c4be7ad97c0e1625bc0f2696
  • d6fd4a75e32f78817f84de3dcb9e3fd767f602b7da1edecd06391ff62a481571
  • e56c525248b1f9201cddcf1802377a7157029e8935696d1a9d9169e1d0501fa4
  • e6a2575c893868e3d8ea5982699c9c2b75a07b8ec092b0cb26d7b5c3c2640f33
  • ec875c5901e28a04b199f577b16a8ba6ac8c9ab7e90bc51a5809f668882ba54f
  • b4a57b62569ee1ccb1c2dae148488dc9e37d738f0fed4f0a6e144caeb910f546
  • f9c25b4755ab54ff3f8d827b6422d43ed14dbd03fd4faa266348eee177f7957f
  • fa258b12d3f4ca1503379a4f6a800bdb1d589ef15ab8bfc20d452f70c8a0745c
  • fcc4c20c07fdf816b7cc6dfba34d42af827ecf01e9972f266ac395e54db028af
  • a19cabf8ce0a8012dedbf65855981db1efa3b9773365554401a74bfb7a45490f
  • 7f801c77fb61cc8d5c03e9fa3068163b595f5bf8c176628398bbbea5aa0a1b74
  • 63de4552312345e055236c82ecdc55c2bc8b3c37f363cb081f8f788b5203d759
  • 2478cd52847146b34cae6b768c794210838a3002a622ce61c2f90d075f6e0e65
  • c5646cc9fe486f0644067fc294f83eb6a39ce6f28eea3708c9bf49e244acc0f9
  • fc99e6083b1dcbe72fb818dbd53903f30c312731f2cfc8607f9d2bf2586be1ee

1 thought on “DotRunpeX – Malware Injector Spreads in Wild

Leave a Reply

%d bloggers like this: