Threat actors have been observed using malvertising attacks to distribute virtualized .NET malware loaders dubbed “MalVirt.”
According to a Thursday advisory by SentinelOne, the new loaders leverage obfuscated virtualization techniques to avoid detection.
“The loaders are implemented in .NET and use virtualization, based on the KoiVM virtualizing protector of .NET applications, in order to obfuscate their implementation and execution,” reads the technical write-up.
“Although popular for hacking tools and cracks, the use of KoiVM virtualization is not often seen as an obfuscation method utilized by cybercrime threat actors.”
In the technical write-up, the company’s senior threat researcher Aleksandar Milenkoski also explained that MalVirt loaders are distributing malware from the Formbook family.
“Among the payloads that MalVirt loaders distribute, we spotted infostealer malware of the Formbook family as part of an ongoing campaign at the time of writing,” reads the SentinelOne advisory.
From a technical standpoint, Formbook (and its updated version called XLoader) is an infostealer malware with several features, including keylogging, screenshot theft, theft of web and other credentials, and deployment of additional malware tools.
“For example, one of the hallmarks of XLoader is its intricate disguising of C2 traffic,” wrote Milenkoski.
Case in point, to hide real C2 traffic and evade network detections, the malware was observed sending beacons to random decoy C2 servers located at different, legitimate hosting providers, such as Azure, Tucows, Choopa and Namecheap.
The SentinelOne security researcher also said that while Formbook and XLoader have been distributed via phishing emails and “malspam” via Macro-enabled Office documents