Danger actors have been noticed making use of malvertising attacks to distribute virtualized .NET malware loaders dubbed “MalVirt.”
In accordance to a Thursday advisory by SentinelOne, the new loaders leverage obfuscated virtualization tactics to stay clear of detection.
“The loaders are implemented in .NET and use virtualization, based on the KoiVM virtualizing protector of .NET apps, in order to obfuscate their implementation and execution,” reads the technological publish-up.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“Though popular for hacking equipment and cracks, the use of KoiVM virtualization is not typically observed as an obfuscation method used by cybercrime threat actors.”
In the technological generate-up, the company’s senior threat researcher Aleksandar Milenkoski also defined that MalVirt loaders are distributing malware from the Formbook loved ones.
“Among the payloads that MalVirt loaders distribute, we noticed infostealer malware of the Formbook loved ones as part of an ongoing marketing campaign at the time of writing,” reads the SentinelOne advisory.
From a complex standpoint, Formbook (and its updated model named XLoader) is an infostealer malware with a number of options, which include keylogging, screenshot theft, theft of web and other credentials, and deployment of more malware resources.
“For case in point, 1 of the hallmarks of XLoader is its intricate disguising of C2 targeted visitors,” wrote Milenkoski.
Case in stage, to disguise true C2 targeted traffic and evade network detections, the malware was observed sending beacons to random decoy C2 servers positioned at distinctive, respectable hosting companies, these types of as Azure, Tucows, Choopa and Namecheap.
The SentinelOne security researcher also mentioned that while Formbook and XLoader have been distributed through phishing emails and “malspam” via Macro-enabled Place of work files in the previous, the new MalVirt campaign hints at a change towards these malware remaining distributed via malvertising.
“As a response to Microsoft blocking Place of work macros by default in documents from the Internet, menace actors have turned to substitute malware distribution techniques – most just lately, malvertising,” Milenkoski explained.
“Offered the substantial measurement of the audience danger actors can reach by malvertising, we assume malware to continue on being dispersed using this approach.”
In other virtualization information, a current report by Sysdig prompt that 87% of all container photographs are influenced by significant or critical vulnerabilities.
Some areas of this article are sourced from:
www.infosecurity-journal.com