New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads

The malware called dotRunpeX is spreading a multitude of already identified malware groups, which include Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys and Vidar.

Last week, Check Point released a report stating that DotRunpeX is a recently developed injector that uses the Process Hollowing technique in .NET. This tool is employed to contaminate systems with several malware strains that are already known.

Reportedly currently under development, dotRunpeX is a type of malware that typically serves as the second phase in the process of infecting a system. It is often delivered through a downloader, which is alternatively known as a loader, and is commonly distributed via email phishing scams that include harmful attachments.

Instead, it is also reported that attackers use malicious Google advertisements on search results pages to redirect innocent users searching for popular applications like AnyDesk and LastPass to fake websites that contain harmful installers.

In October 2022, the most recent DotRunpeX objects were discovered incorporating an added layer of obfuscation through the usage of the KoiVM virtualizing protector.

It is important to note that the results are in line with a previous malvertising strategy called MalVirt, as reported by SentinelOne last month, which involved using both the loader and injector components together.

According to Check Point's investigation, it has been discovered that every dotRunpeX exhibit carries a specific type of malware which would be infused with the injector alongside a list of targeted anti-malware systems that must be terminated.

As a result, the ability to execute in kernel mode is achieved by exploiting a weak process explorer driver called procexp.sys within the dotRunpeX application.

The language references found in the code suggest that Russian-speaking actors may be involved with dotRunpeX. The emerging threat has been seen to frequently distribute malware families such as RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.

Post a Comment

Previous Post Next Post