Check Point Research provides an in-depth analysis of the dotRunpeX injector and its evolution, detailing both the old and new versions and how they are protected by virtualization (KoiVM) and obfuscation (ConfuserEx). The report explains how dotRunpeX acts as a second-stage loader to deliver numerous malware families via phishing, trojanized software, and driver abuse to disable defenses and enable code injection. #dotRunpeX #KoiVM #ConfuserEx #Redline #AgentTesla #Lokibot #SnakeKeylogger #GalaxySwapper
Keypoints
- Check Point Research analyzes both the old and new dotRunpeX versions, comparing protections (KoiVM) and obfuscation (ConfuserEx) and noting defenses were defeated.
- dotRunpeX is used in the wild as a second-stage injector to deliver many malware families (stealers, RATs, loaders, downloaders).
- Most campaigns distribute the first-stage loaders via phishing emails and fake websites; the chain then loads dotRunpeX as the second stage.
- The injector abuses a vulnerable Process Explorer driver (procexp) to disable Anti-Malware services and enhance persistence and stealth.
- Check Point introduces PoC techniques (ImplMap2x64dbg and Invoke-DotRunpeXextract) to aid reverse engineering protected/virtualized .NET code.
- New dotRunpeX versions show advanced features (multiple UAC bypass methods, syscall patching via D/Invoke, and KoiVM protection) and continue to embed payloads and a procexp driver for defense evasion.
MITRE Techniques
- [T1055.012] Process Hollowing – DotRunpeX uses Process Hollowing to create a suspended process and inject the payload. “DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families.”
- [T1562.001] Impair Defenses: Disable or Modify Tools – The threat configures disabling Anti-Malware services and other defenses as part of its capabilities. “Highly configurable (disabling Anti-Malware services, Anti-VM, Anti-Sandbox…)”
- [T1548.002] Bypass User Account Control – The new version includes UAC bypass methods. “UAC bypass methods” mentioned as part of configurability.
- [T1027] Obfuscated/Compressed Files and Information – The malware uses virtualization (KoiVM) and obfuscation (ConfuserEx) to protect code. “protected by virtualization (a customized version of KoiVM) and obfuscation (ConfuserEx) – both were defeated”
- [T1566.001] Phishing – Initial infection vectors include phishing emails and fake websites masquerading as legitimate utilities. “Commonly distributed via phishing emails as malicious attachments and websites masquerading as regular program utilities.”
Indicators of Compromise
- [SHA256 Hash] – Example OLD: 1e7614f757d40a2f5e2f4bd5597d04878768a9c01aa5f9f23d6c87660f7f0fbc, associated with Lokibot (OLD)
- [SHA256 Hash] – Example OLD: 65cac67ed2a084beff373d6aba6f914b8cba0caceda254a857def1df12f5154b, associated with SnakeKeylogger (OLD)
- [SHA256 Hash] – Example NEW: 0e11704fcc3c36832ba98b80ea44a3013660d1ed3fb48158b982fed9f9050391, associated with AgentTesla (NEW)
- [SHA256 Hash] – Example NEW: 0f9e27ec1ed021fd7375ca46f233c06b354d12d57aed44132208cd9308bfee11, associated with AgentTesla (NEW)
- [SHA256 Hash] – Example NEW: 881a337aa85a4b01c08706ab941573c5dc9b76ea0e4e1c2693a9b4aa4453ec8c, associated with AgentTesla (NEW)
- [Domain] – galaxyswapper.ru (Website masquerading as Galaxy Swapper)
- [Domain] – gitlab.com (Host for trojanized binaries and loaders)
- [URL] – https://www.galaxyswapper.ru/ (Phishing/malicious site)
- [URL] – https://gitlab.com/forhost1232/galaxyv19.11.14/-/raw/main/GalaxyV19.11.14.zip (Trojanized loader delivery)
- [URL] – https://gitlab.com/forhost1232/lastpassinstaller/-/raw/main/LastPassInstaller.zip (Trojanized LastPass installer)
- [IP] – 77.73.134.2 (C2 for Redline payload in one campaign)
- [FileName] – Иисус.sys (Process Explorer driver)
- [FileName] – LastPassInstaller.zip (Trojanized package delivery)
- [Process] – C:WindowsMicrosoft.NETFrameworkv4.0.30319InstallUtil.exe (targeted by Process Hollowing in examples)