FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

Feb 06, 2023Ravie LakshmananMalvertising / Data Safety

An ongoing malvertising campaign is being used to distribute
virtualized .NET loaders that are designed to deploy the FormBook
information-stealing malware.

“The loaders, dubbed MalVirt, use obfuscated virtualization for
anti-analysis and evasion along with the Windows Process Explorer
driver for terminating processes,” SentinelOne researchers
Aleksandar Milenkoski and Tom Hegel said^[1]
in a technical write-up.

The shift to Google malvertising is the latest example of how
crimeware actors are devising alternate delivery
routes^[2] to distribute malware
ever since Microsoft announced plans to block the execution of
macros in Office by default from files downloaded from the
internet.

Malvertising entails placing rogue search engine advertisements
in hopes of tricking users searching for popular software like
Blender into downloading the trojanized software.

The MalVirt loaders, which are implemented in .NET, use the
legitimate KoiVM^[3]
virtualizing protector for .NET applications for concealing its
behavior and are tasked with distributing the FormBook malware
family.

Besides incorporating anti-analysis and anti-detection
techniques to evade execution within a virtual machine or an
application sandbox environment, the loaders have been found to
employ a modified version of KoiVM that packs in additional
obfuscation layers in order to make deciphering even more
challenging.

The loaders also deploy and load a signed Microsoft Process Explorer^[4]
driver with the goal of carrying out actions with elevated
permissions. The privileges, for instance, can be weaponized to
terminate processes with security software to avoid getting
flagged.

Both FormBook and its successor, XLoader, implement a wide range
of functionalities, such as keylogging, screenshot theft,
harvesting of web and other credentials, and staging of additional
malware.

The malware strains are also notable for camouflaging their
command-and-control (C2) traffic among smokescreen HTTP requests
with encoded content to multiple decoy domains, as previously
revealed^[5]
by Zscaler and Check Point last year.

“As a response to Microsoft blocking Office macros by default in
documents from the Internet, threat actors have turned to
alternative malware distribution methods – most recently,
malvertising,” the researchers said.

“The MalVirt loaders […] demonstrate just how much effort
threat actors are investing in evading detection and thwarting
analysis.”

It’s pertinent that the method^[6]
is already^[7]
witnessing^[8]
a spike^[9]
due to its use by other criminal actors to push IcedID, Raccoon,
Rhadamanthys, and Vidar stealers over the past few months.

“It is likely that a threat actor has started to sell
malvertising as a service on the dark web, and there is a great
deal of demand,” Abuse.ch said^[10] in a report^[11], pointing out a
possible reason for the “escalation.”

The findings arrive two months after India-based K7 Security
Labs detailed^[12] a phishing campaign
that leverages a .NET loader to drop Remcos RAT and Agent Tesla by
means of a virtualized KoiVM virtualized binary.

It’s not all malicious ads, however, as adversaries are also
experimenting with other file types like Excel add-ins (XLLs) and
OneNote email attachments to sneak past security perimeters. Newly
joining this list is the use of Visual Studio Tools for Office
(VSTO) add-ins as an attack vehicle.

“VSTO add-ins can be packaged alongside Office documents (Local
VSTO), or, alternatively, fetched from a remote location when a
VSTO-Bearing Office document is opened (Remote VSTO),” Deep
Instinct disclosed^[13] last week. “This,
however, may require bypass of trust-related security
mechanisms.”