The Formbook data stealer is being distributed by malware installers that use KoiVM virtualization technology to avoid detection in an ongoing Google Ads malvertising campaign. The KoiVM plugin for ConfuserEx .NET protects programs by obfuscating their opcodes so that only the virtual machine can decipher them. The virtual machine then converts the opcodes back to their original form when the program is started, enabling the application to run.
“Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands,” explains a new report by SentinelLabs. “A virtual machine engine executes the virtualized code by translating it into the original code at runtime.”
According to a Google advertising campaign detected by Sentinel Labs, threat actors promote the Formbook information-stealing malware with virtualized .NET loaders known as “MalVirt,” which assist in disseminating the final payload without setting off antivirus warnings. While KoiVM virtualization is famous for hacking tools and crackers, Sentinel Labs notes that it is rarely employed in malware dissemination. The security company thinks that one of the many unintended consequences of Microsoft’s decision to disable macros in Office may be the new trend in its use.
Researchers have noticed an upsurge in the misuse of Google search advertisements over the last month to disseminate various malware, including RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys Stealer, IcedID, Raccoon Stealer, and many others. Threat actors are promoting the MalVirt loaders in adverts that appear to be for the Blender 3D program in the continuing campaign that SentinelLabs has seen. These fraudulent websites use fake digital signatures for their downloads for Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA. Although Windows will not mistakenly display these incorrect signatures as being signed, the MalVirt loaders can still evade detection.
The loaders may also determine whether they are operating in a virtualized environment by checking certain registry keys. If so, execution is halted to avoid detection. MalVirt additionally employs a signed Microsoft Process Explorer driver loaded as “TaskKill” during system startup, allowing it to alter active processes to avoid detection. The loaders also use a customized version of KoiVM that includes extra obfuscation layers to prevent the virtualized code from being decompiled, which makes deciphering it much more difficult.
SentinelLabs claims that by obscuring the procedure of this customized KoiVM implementation using arithmetic operations rather than merely employing prominent assignments, it confuses common devirtualization frameworks like the “OldRod.” According to Milenkoski, it is feasible to circumvent the obfuscation in these MalVirt loaders and return the 119 constant variables in KoiVM to their original order. However, the added obscurity makes it challenging and necessitates heavy manual effort because automated technologies already in place are ineffective.
Along with all the detection avoidance mechanisms used by the malware loader, Formbook also employs a novel technique to cloak its actual C2 (command and control) communications and IP addresses. The data-stealing malware combines its actual traffic with various “smokescreen” HTTP requests, each of which has its content encrypted and encoded to blend in with the background traffic. The malware randomly selects these IPs from a hardcoded list of domains hosted by different firms and connects with them.
According to SentinelLabs, just one of the 17 domains Formbook spoke with in the samples it examined was the genuine C2 server, with the others only acting as dummy hosts to fool network traffic monitoring tools. This unique system on an older malware strain suggests that its developers are interested in giving it new capabilities that will help it blend in better with security tools and analysts. It’s unclear if threat actors have converted their malspam distribution strategy from Formbook to Google search adverts entirely, but this illustrates how consumers should be cautious when clicking links in search results.