A new piece of malware dubbed dotRunpeX is remaining utilized to distribute a lot of known malware people this sort of as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.
“DotRunpeX is a new injector prepared in .NET employing the System Hollowing technique and utilised to infect units with a range of regarded malware people,” Test Place explained in a report printed last week.
Mentioned to be in lively improvement, dotRunpeX comes as a 2nd-phase malware in the infection chain, frequently deployed by way of a downloader (aka loader) that is transmitted by way of phishing e-mails as destructive attachments.
Alternatively, it can be recognized to leverage malicious Google Advertisements on lookup result internet pages to direct unsuspecting buyers hunting for well known computer software these types of as AnyDesk and LastPass to copycat sites hosting trojanized installers.
The hottest DotRunpeX artifacts, very first spotted in Oct 2022, increase an added obfuscation layer by making use of the KoiVM virtualizing protector.
It can be value pointing out that the conclusions dovetail with a malvertising marketing campaign documented by SentinelOne last thirty day period in which the loader and the injector components were being collectively referred to as MalVirt.
Verify Point’s examination has further unveiled that “every single dotRunpeX sample has an embedded payload of a certain malware spouse and children to be injected,” with the injector specifying a list of anti-malware processes to be terminated.
WEBINARDiscover the Concealed Hazards of Third-Get together SaaS Apps
Are you informed of the risks associated with 3rd-party application accessibility to your company’s SaaS applications? Sign up for our webinar to discover about the kinds of permissions remaining granted and how to lower risk.
RESERVE YOUR SEAT
This, in convert, is built attainable by abusing a vulnerable procedure explorer driver (procexp.sys) that is included into dotRunpeX so as to obtain kernel mode execution.
There are symptoms that dotRunpeX could be affiliated to Russian-talking actors based mostly on the language references in the code. The most commonly shipped malware families sent by the rising danger include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.
Found this write-up exciting? Comply with us on Twitter and LinkedIn to browse a lot more exceptional information we publish.
Some parts of this article are sourced from:
thehackernews.com