FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

An ongoing malvertising campaign is being used to distribute virtualized. NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a technical write-up. The shift to Google malvertising is the latest example of how crimeware actors are devising alternate delivery routes to distribute malware ever since Microsoft announced plans to block the execution of macros in Office by default from files downloaded from the internet. Malvertising entails placing rogue search engine advertisements in hopes of tricking users searching for popular software like Blender into downloading the trojanized software. NET, use the legitimate KoiVM virtualizing protector for. NET applications for concealing its behavior and are tasked with distributing the FormBook malware family. Besides incorporating anti-analysis and anti-detection techniques to evade execution within a virtual machine or an application sandbox environment, the loaders have been found to employ a modified version of KoiVM that packs in additional obfuscation layers in order to make deciphering even more challenging. The loaders also deploy and load a signed Microsoft Process Explorer driver with the goal of carrying out actions with elevated permissions. The privileges can be weaponized to terminate processes with security software to avoid getting flagged. Both FormBook and its successor, XLoader, implement a wide range of functionalities, such as keylogging, screenshot theft, harvesting of web and other credentials, and staging of additional malware. The malware strains are also notable for camouflaging their command-and-control traffic among smokescreen HTTP requests with encoded content to multiple decoy domains, as previously revealed by Zscaler and Check Point last year. "As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods - most recently, malvertising," the researchers said. "The MalVirt loaders demonstrate just how much effort threat actors are investing in evading detection and thwarting analysis." It's pertinent that the method is already witnessing a spike due to its use by other criminal actors to push IcedID, Raccoon, Rhadamanthys, and Vidar stealers over the past few months. "It is likely that a threat actor has started to sell malvertising as a service on the dark web, and there is a great deal of demand," Abuse. Ch said in a report, pointing out a possible reason for the "Escalation." The findings arrive two months after India-based K7 Security Labs detailed a phishing campaign that leverages a.NET loader to drop Remcos RAT and Agent Tesla by means of a virtualized KoiVM virtualized binary. It's not all malicious ads as adversaries are also experimenting with other file types like Excel add-ins and OneNote email attachments to sneak past security perimeters. Newly joining this list is the use of Visual Studio Tools for Office add-ins as an attack vehicle. "VSTO add-ins can be packaged alongside Office documents, or fetched from a remote location when a VSTO-Bearing Office document is opened," Deep Instinct disclosed last week. "This may require bypass of trust-related security mechanisms."

This Cyber News was published on thehackernews.com. Publication date: Mon, 06 Feb 2023 10:03:03 +0000


Cyber News related to FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

Hackers Use Google Ads to Install Malware - NET malware loaders that were disseminated via malvertising attacks was discovered by SentinelLabs. The loaders, known as MalVirt, leverage the Windows Process Explorer driver for process termination together with obfuscated virtualization for ...
1 year ago Cybersecuritynews.com
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection - An ongoing malvertising campaign is being used to distribute virtualized. NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion ...
1 year ago Thehackernews.com
Unit 42 Collaborative Research With Ukraine's Cyber Agency To Uncover the Smoke Loader Backdoor - This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. The SCPC SSSCIP has identified Smoke Loader as a prominent type of ...
7 months ago Unit42.paloaltonetworks.com
The Surge of FakeBat Malware in Search-Based Malvertising Campaigns - In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware ...
7 months ago Cysecurity.news
Ads on Google Promote Malware Designed to Avoid Detection by Antivirus Software - A malicious Google Ads campaign is currently spreading malware installers that use KoiVM virtualization technology to avoid detection when installing the Formbook data stealer. KoiVM virtualization works by replacing the original code of a program ...
1 year ago Bleepingcomputer.com
MacOS info-stealers quickly evolve to evade XProtect detection - Multiple information stealers for the macOS platform have demonstrated the capability to evade detection even when security companies follow and report about new variants frequently. A report by SentinelOne highlights the problem through three ...
9 months ago Bleepingcomputer.com
November 2023's Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus - Researchers reported on a new AsyncRAT campaign where malicious HTML files were being used to spread the stealthy malware. Our latest Global Threat Index for November 2023 saw researchers discover a AsyncRAT campaign where malicious HTML files were ...
10 months ago Blog.checkpoint.com
Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets - Unit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, low-quality hosting and web chat APIs. In this article, we'll describe some of the tactics used by ...
10 months ago Unit42.paloaltonetworks.com
FakeBat delivered via several active malvertising campaigns - February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection. One ...
7 months ago Malwarebytes.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
5 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)