FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

 

An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware.

"The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a technical write-up.

The shift to Google malvertising is the latest example of how crimeware actors are devising alternate delivery routes to distribute malware ever since Microsoft announced plans to block the execution of macros in Office by default from files downloaded from the internet.

Malvertising entails placing rogue search engine advertisements in hopes of tricking users searching for popular software like Blender into downloading the trojanized software.

The MalVirt loaders, which are implemented in .NET, use the legitimate KoiVM virtualizing protector for .NET applications in an attempt to conceal its behavior and are tasked with distributing the FormBook malware family.

Besides incorporating anti-analysis and anti-detection techniques to evade execution within a virtual machine or an application sandbox environment, the loaders have been found to employ a modified version of KoiVM that packs in additional obfuscation layers in order to make deciphering even more challenging.

The loaders also deploy and load a signed Microsoft Process Explorer driver with the goal of carrying out actions with elevated permissions. The privileges, for instance, can be weaponized to terminate processes associated with security software to avoid getting flagged.

Both FormBook and its successor, XLoader, implement a wide range of functionalities, such as keylogging, screenshot theft, harvesting of web and other credentials, and staging of additional malware.

The malware strains are also notable for camouflaging their command-and-control (C2) traffic among smokescreen HTTP requests with encoded content to multiple decoy domains, as previously revealed by Zscaler and Check Point last year.

"As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods – most recently, malvertising," the researchers said.

"The MalVirt loaders [...] demonstrate just how much effort threat actors are investing in evading detection and thwarting analysis."

It's pertinent that the method is already witnessing a spike due to its use by other criminal actors to push IcedID, Raccoon, Rhadamanthys, and Vidar stealers over the past few months.

"It is likely that a threat actor has started to sell malvertising as a service on the dark web, and there is a great deal of demand," Abuse.ch said in a report, pointing out a possible reason for the "escalation."

The findings arrive two months after India-based K7 Security Labs detailed a phishing campaign that leverages a .NET loader to drop Remcos RAT and Agent Tesla by means of a virtualized KoiVM virtualized binary.

It's not all malicious ads, however, as adversaries are also experimenting with other file types like Excel add-ins (XLLs) and OneNote email attachments to sneak past security perimeters. Newly joining this list is the use of Visual Studio Tools for Office (VSTO) add-ins as an attack vehicle.

"VSTO add-ins can be packaged alongside Office documents (Local VSTO), or, alternatively, fetched from a remote location when a VSTO-Bearing Office document is opened (Remote VSTO)," Deep Instinct disclosed last week. "This, however, may require bypass of trust-related security mechanisms."

Related Blogs

malwareEd Fung