A new cluster of virtualized .NET malware loaders known as “MalVirt” has been discovered by SentinelLabs. The loaders are disseminated via malvertising attacks and have been observed to spread the Formbook family of malware.
What are MalVirt Loaders?
MalVirt loaders use the Windows Process Explorer driver for process termination along with obfuscated virtualization for anti-analysis and evasion. The virtualization is based on the KoiVM virtualizing protector of .NET applications, which obfuscates the code of a program using ConfuserEx.NET protector.
According to SentinelLabs, “virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands. A virtual machine engine executes the virtualized code by translating it into the original code at runtime.”
What is the Formbook Family of Malware?
The Formbook family of malware, which includes Formbook and its recent variant XLoader, is a highly effective info stealer that employs a range of features such as keylogging, screenshot theft, web and other credential theft, and staging of other malware.
The Ongoing Campaign
Threat actors have been promoting the MalVirt loaders in advertisements appearing to be for the Blender 3D software. The loaders use signatures and countersignatures from organizations such as Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA, claiming to be digitally signed. However, the signatures were either generated using invalid certificates or came from certificates not trusted by the system.
The loaders also implement a range of anti-analysis and anti-detection techniques, including Base-64 encoded and AES-encrypted strings. The modified version of KoiVM used by MalVirt also includes additional obfuscation layers to prevent the virtualized code from being decompiled.
Threat to Cybersecurity
Given the anti-analysis and anti-detection tactics used by the Formbook family of malware, it is a significant threat to cybersecurity. The use of malvertising to spread the malware makes it even more dangerous, as it can reach a large audience. According to SentinelLabs, it is anticipated that malware will continue to be spread through this technique.