Freely subscribe to our NEWSLETTER

Among the payloads that MalVirt loaders distribute, SentinelLabs spotted infostealer malware of the Formbook family as part of an ongoing campaign at the time of writing. The distribution of this malware through the MalVirt loaders is characterised by an unusual amount of applied anti-analysis and anti-detection techniques.

This malware is sold on the dark web and is traditionally delivered as an attachment to phishing emails, and its use has also been recently observed as part of attacks with potentially political motivations – in September 2022, Ukraine’s CERT reported a Formbook/XLoader campaign targeting Ukrainian state organisations through war-themed phishing emails.

Key summary

SentinelLabs observed a cluster of virtualized .NET malware loaders distributed through malvertising attacks
The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes
MalVirt loaders distribute malware of the Formbook family as part of an ongoing campaign at the time of writing. To disguise real C2 traffic and evade network detections, the malware beacons to random decoy C2 servers hosted at different hosting providers, including Azure, Tucows, Choopa, and Namecheap.

Conclusion

As a response to Microsoft blocking Office macros by default in documents from the Internet, threat actors have turned to alternative malware distribution methods – most recently, malvertising.

SentinelLabs’ research focuses on the MalVirt loaders and the infostealer malware subsequently distributed by them in order to highlight the effort the threat actors have invested in evading detection and thwarting analysis.

Additionally, this report highlights that phishing attacks continue to evolve and can be highly targeted with the use of intricate loader, which could suggest an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation.