A malicious Google Ads campaign was recently discovered using KoiVM virtualization technology to install the Formbook data stealer without being detected by antiviruses. The downloads presented by the fraudulent sites were made to look like they were from Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA, but Windows would not display these incorrect signatures as being signed. The MalVirt loaders also had capabilities to evade detection, such as patching the AmsiScanBuffer function and encoding and encrypting strings with Base-64 and AES. The loaders would also stop if they detected running in a virtualized environment, so they wouldn't be spotted. KoiVM virtualization is usually used for hacking tools and cracks, but in this case it was used to deploy malware. Formbook also used a new trick to hide its C2 traffic and IP addresses by combining it with Smokescreen HTTP requests. As the number of malware distribution attempts through Google Ads is increasing, users should be careful when clicking links in search results and ensure their endpoint security policies are up to date.
This Cyber News was published on heimdalsecurity.com. Publication date: Fri, 03 Feb 2023 14:58:03 +0000