New dotRunpeX malware – A threat spread through ads 

Check Point, a cybersecurity company, has released a report stating that a new malware called “dotRunpeX” is being developed to distribute variously known malware families, such as BitRAT, Agent Tesla, and LokiBot. 

“DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families,” Check Point said in a report posted last week.

Malicious Google Ads – dotRupenX’s target 

A new malware strain named “dotRunpeX” is on the loose, causing considerable concern for security experts worldwide. It is a second-stage malware in the infection chain, often transmitted through phishing emails or malicious Google Ads. 

The most recent version of dotRunpeX, first detected in October 2022, has added an extra layer of obfuscation to evade detection. The malware now employs the KoiVM virtualizing protector, which makes it even more challenging for cybersecurity experts to identify the threat.

DotRunpeX is a .NET-based injector that allows attackers to inject malicious code into legitimate processes. It has become a preferred tool for cybercriminals due to its ease of use and ability to bypass security measures.

There is more to dotRupenX’s target 

In addition to phishing emails, dotRunpeX is known to use malicious Google Ads on search result pages to lure unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers. This technique, called “search engine result page (SERP) poisoning,” aims to manipulate search engine rankings to deliver malicious links to users.

The malware is evolving, and it will likely find new ways to attack shortly. 

DotRunpeX malware abuses vulnerable process explorer driver to inject malware

Researchers at Check Point have recently discovered that the dotRunpeX malware uses a vulnerable process explorer driver (procexp.sys) to obtain kernel mode execution, allowing it to inject various malware families into systems undetected.

The Check Point’s analysis has revealed two concerning things:

• Each dotRunpeX sample comes embedded with a specific payload of malware to be injected into the victim’s system.
• The injector also specifies a list of anti-malware processes to be terminated to avoid detection.

Defeating #dotRunpeX — New #virtualized .NET injector abusing advanced techniques to deliver numerous malware families.
CP<r> provides an in-depth analysis of this threat introducing several PoC techniques for reversing protected/virtualized #dotnet code. https://t.co/PxzqoIJJKu

— Check Point Research (@_CPResearch_) March 15, 2023

Russian-speaking actors: A prime suspect 

dotRunpeX is suspected to be affiliated with Russian-speaking actors. The malware campaign was documented after a malvertising campaign previously revealed by Sentinel One. The campaign documented by Sentinel One involved the loader and injector components collectively called “MalVirt.”

Language references in the dotRunpeX code also suggest that the campaign may be affiliated with Russian-speaking actors. Check Point’s researchers have noted that the malware campaign is still in its early stages and is evolving rapidly. 

Conclusion 

The dotRunpeX malware campaign has been delivering a range of malware families, including RedLine, Raccoon, Vidar, Agent Tesla, and FormBook. The use of these malware families suggests that the actors behind the campaign are focused on information theft, as these families are known for stealing sensitive information such as login credentials, banking information, and personal data.