New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,072
Content source
https://thehackernews.com/2023/03/new-dotrunpex-malware-delivers-multiple.html
A new piece of malware dubbed dotRunpeX is being used to distribute numerous known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.

"DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families," Check Point said in a report published last week.

Said to be in active development, dotRunpeX arrives as a second-stage malware in the infection chain, often deployed via a downloader (aka loader) that's transmitted through phishing emails as malicious attachments.

Alternatively, it's known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers.
Click to expand...
thehackernews.com

New DotRunpeX Malware Delivers Multiple Malware Families via Malicious Ads

dotRunpeX is a new malware injector that's distributing various known malware families via phishing emails & malicious Google Ads.
thehackernews.com thehackernews.com

Highlights:​

  • Check Point Research (CPR) provides an in-depth analysis of the dotRunpeX injector and its relation to the older version
  • DotRunpeX is protected by virtualization (a customized version of KoiVM) and obfuscation (ConfuserEx) – both were defeated
  • Investigation shows that dotRunpeX is used in the wild to deliver numerous known malware families
  • Commonly distributed via phishing emails as malicious attachments and websites masquerading as regular program utilities
  • We confirmed and detailed the malicious use of a vulnerable process explorer driver to disable the functionality of Anti-Malware services
  • CPR introduces several PoC techniques that were approved to be effective for reverse engineering protected or virtualized dotnet code
Click to expand...
research.checkpoint.com

DotRunpeX - demystifying new virtualized .NET injector used in the wild - Check Point Research

ImplMap2x64dbgInvoke-DotRunpeXextract
research.checkpoint.com research.checkpoint.com
 
  • +Reputation
  • Like
  • Wow
Reactions: Gandalf_The_Grey, upnorth, harlan4096 and 1 other person
You must log in or register to reply here.

Similar threads

Victor M
    • Wow
    • +Reputation
    • Like
Security News Session token stealer survive Google password reset
Replies
2
Views
1,442
Security News
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Malware News Over 200 malicious apps on Google Play downloaded millions of times
Replies
1
Views
1,169
Security News
Digmor Crusher
Digmor Crusher
silversurfer
    • Like
    • +Reputation
Malware News Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware
Replies
0
Views
1,922
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top