A brand new piece of malware dubbed dotRunpeX is getting used to distribute quite a few identified malware households reminiscent of Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.
“DotRunpeX is a brand new injector written in .NET utilizing the Course of Hollowing approach and used to contaminate methods with quite a lot of identified malware households,” Verify Level stated in a report printed final week.
Mentioned to be in energetic growth, dotRunpeX arrives as a second-stage malware within the an infection chain, typically deployed through a downloader (aka loader) that is transmitted by phishing emails as malicious attachments.
Alternatively, it is identified to leverage malicious Google Advertisements on search consequence pages to direct unsuspecting customers trying to find standard software program reminiscent of AnyDesk and LastPass to copycat websites internet hosting trojanized installers.
The most recent DotRunpeX artifacts, first noticed in October 2022, add an additional obfuscation layer through the use of the KoiVM virtualizing protector.
It is price stating that the findings dovetail with a malvertising marketing campaign documented by SentinelOne final month by which the loader and the injector parts have been collectively known as MalVirt.
Verify Level’s evaluation has additional revealed that “every dotRunpeX pattern has an embedded payload of a sure malware household to be injected,” with the injector specifying an inventory of anti-malware processes to be terminated.
Uncover the Hidden Risks of Third-Social gathering SaaS Apps
Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be part of our webinar to be taught in regards to the forms of permissions being granted and tips on how to reduce danger.
This, in flip, is made doable by abusing a susceptible course of explorer driver (procexp.sys) that is integrated into dotRunpeX in order to acquire kernel mode execution.
There are indicators that dotRunpeX could possibly be affiliated to Russian-speaking actors based mostly on the language references within the code. Probably the most regularly delivered malware households delivered by the rising risk embody RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.