A malicious Google Ads campaign is currently spreading malware installers that use KoiVM virtualization technology to avoid detection when installing the Formbook data stealer. KoiVM virtualization works by replacing the original code of a program with virtualized code that only the virtualization framework can understand. When the virtual machine is launched, it translates the virtualized code back to its original form so that the application can be executed. This makes it difficult to analyze the malware and also helps it to evade static analysis. In this campaign, the malicious actors are using fake sites that pretend to be for the Blender 3D software to distribute the MalVirt loaders. These loaders have invalid digital signatures that are meant to imitate Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA. They also have features to help them avoid detection, such as patching the AmsiScanBuffer function and encoding and encrypting strings. The MalVirt loaders also use a modified version of KoiVM that has additional obfuscation layers to make it harder to decipher. In addition, Formbook is using a new trick to disguise its real C2 traffic and IP addresses by mixing it with encrypted and encoded Smokescreen HTTP requests. It is unclear if the threat actors have completely switched to using Google search ads to distribute Formbook, but it is a reminder to be careful of the links you click in search results.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 03 Feb 2023 00:05:03 +0000