Check Point, a cybersecurity company, has released a report stating that a new malware called “dotRunpeX” is being developed to distribute variously known malware families, such as BitRAT, Agent Tesla, and LokiBot.
“DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families,” Check Point said in a report posted last week.
Malicious Google Ads – dotRupenX’s target
A new malware strain named “dotRunpeX” is on the loose, causing considerable concern for security experts worldwide. It is a second-stage malware in the infection chain, often transmitted through phishing emails or malicious Google Ads.
The most recent version of dotRunpeX, first detected in October 2022, has added an extra layer of obfuscation to evade detection. The malware now employs the KoiVM virtualizing protector, which makes it even more challenging for cybersecurity experts to identify the threat.
DotRunpeX is a .NET-based injector that allows attackers to inject malicious code into legitimate processes. It has become a preferred tool for cybercriminals due to its ease of use and ability to bypass security measures.
There is more to dotRupenX’s target
In addition to phishing emails, dotRunpeX is also known for leveraging malicious Google Ads on search engine results pages (SERPs) to deceive users searching for popular software like AnyDesk and LastPass. These ads redirect victims to fake websites hosting trojanized installers.
This method, known as search engine results page (SERP) poisoning, is used to manipulate rankings and drive traffic to malicious links. Implementing effective SERP Tracking is crucial for detecting and preventing such threats by monitoring search result manipulation and identifying harmful URLs in real-time.
The malware is evolving, and it will likely find new ways to attack shortly.
DotRunpeX malware abuses vulnerable process explorer driver to inject malware
Researchers at Check Point have recently discovered that the dotRunpeX malware uses a vulnerable process explorer driver (procexp.sys) to obtain kernel mode execution, allowing it to inject various malware families into systems undetected.
The Check Point’s analysis has revealed two concerning things:
- Each dotRunpeX sample comes embedded with a specific payload of malware to be injected into the victim’s system.
- The injector also specifies a list of anti-malware processes to be terminated to avoid detection.
Russian-speaking actors: A prime suspect
dotRunpeX is suspected to be affiliated with Russian-speaking actors. The malware campaign was documented after a malvertising campaign previously revealed by Sentinel One. The campaign documented by Sentinel One involved the loader and injector components collectively called “MalVirt.”
Language references in the dotRunpeX code also suggest that the campaign may be affiliated with Russian-speaking actors. Check Point’s researchers have noted that the malware campaign is still in its early stages and is evolving rapidly.
Conclusion
The dotRunpeX malware campaign has been delivering a range of malware families, including RedLine, Raccoon, Vidar, Agent Tesla, and FormBook. The use of these malware families suggests that the actors behind the campaign are focused on information theft, as these families are known for stealing sensitive information such as login credentials, banking information, and personal data.
PureVPN
March 21, 2023
3 years ago
