Malvertising attacks are distributing .NET malware loaders

Malvertising attacks are distributing .NET malware loaders

Malvertising attacks are being used to distribute virtualized .NET loaders that are highly obfuscated and dropping info-stealer malware.

The loaders, dubbed MalVirt, are implemented in .NET and use virtualization through the legitimate KoiVM virtualizing protector for .NET applications, according to threat researchers with SentinelOne's SentinelLabs. The KoiVM tool helps obfuscate the implementation and execution of the MalVirt loaders.

The loaders are distributing the Formbook info-stealing malware collection as part of an ongoing campaign, the researchers write in a report out this week. Formbook and the newer XLoader version come with a range of threats, from keylogging and screenshot theft to stealing credentials and staging addition malware.

"The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques," they write.

It's also the latest example of miscreants adapting to Microsoft last year blocking macros by default in Word, Excel, and PowerPoint to shut down a popular attack avenue. In the wake of Microsoft's move, attackers are turning to other options, such as LNK files, ISO and RAR attachments, and Excel XLL add-ins (which Microsoft addressed in January).

Malvertising also seeing fast adoption.

"Malvertising is a malware delivery method that is currently very popular among threat actors, marked by a significant increase in malicious search engine advertisements in recent weeks," SentinelOne writes.

The Formbook and XLoader malware are sold on the dark web and usually distributed through attachments in phishing emails or malspam through macro-enabled Office documents – though that door has be ..

Support the originator by clicking the read the rest link below.