SentinelLabs detected a cluster of virtualized .NET loaders, named MalVirt, distributed via malvertising to deliver Formbook/XLoader infostealer payloads. The loaders use KoiVM-based virtualization and anti-analysis techniques, rely on a Windows Process Explorer driver to terminate processes, and beacon to random decoy C2 servers hosted across multiple providers to disguise network traffic. #MalVirt #KoiVM #Formbook #XLoader #Malvertising #AMSI #ProcessExplorer #Azure #Namecheap
Keypoints
- SentinelLabs observed a MalVirt loader cluster delivering Formbook/XLoader via malvertising campaigns.
- MalVirt uses .NET virtualization (KoiVM) to obfuscate code and evade analysis, with varied anti-analysis techniques across samples.
- The loaders patch AMSI (AmsiScanBuffer) and encode/decrypt strings to defeat static detection.
- Process Explorer driver is deployed to gain kernel privileges and terminate detection-related processes.
- Malvirt networks beacon to random decoy C2 domains across providers (Azure, Tucows, Choopa, Namecheap) to hide real C2 activity.
- The payloads include Formbook/XLoader infostealer capabilities (keylogging, screen capture, credential theft) and staging of additional malware.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising serves loaders as a malware delivery method, with a notable rise in malicious ads and search results.
- [T1497] Virtualization/Sandbox Evasion – The loaders use KoiVM virtualization to obfuscate code and detect or evade analysis; “
‘the loaders … use virtualization, based on the KoiVM virtualizing protector of .NET applications, in order to obfuscate their implementation and execution’.” - [T1027] Obfuscated/Compressed Files and Information – Names are obfuscated and strings are Base-64 encoded and AES-encrypted; “
‘obfuscated namespace, class, and function names composed of alphanumeric characters’ … ‘strings are Base-64 encoded and AES-encrypted’.” - [T1562.001] Impair Defenses – AMSI bypass via patching AmsiScanBuffer; “
‘patch the AmsiScanBuffer function implemented in amsi.dll to bypass the Anti Malware Scan Interface (AMSI) that detects malicious PowerShell commands.’” - [T1056.001] Keylogging – Formbook/XLoader capabilities include keylogging; “
‘keylogging, screenshot theft, theft of web and other credentials, and staging of additional malware.’” - [T1071.001] Web Protocols – C2 traffic is camouflaged across multiple domains with encoded data; “
‘beacons to random decoy C2 servers … Only one of the domains is the real C2 server and the rest are decoys.’” - [T1555.003] Credentials from Web Browsers – Formbook theft includes credentials from web applications; “
‘theft of web and other credentials’.”
Indicators of Compromise
- [SHA1] MalVirt loader sample – 15DB79699DCEF4EB5D731108AAD6F97B2DC0EC9C, 655D0B6F6570B5E07834AA2DD8211845B4B59200, and 1 other hash BC47E15537FA7C32DFEFD23168D7E1741F8477ED
- [Domain] Contacted domain as part of C2 disguise traffic – www.togsfortoads[.]com, www.popimart[.]xyz, and 19 more domains
Read more: https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/