Google Advertisements Promote Antivirus-Evading 'Virtualized' Malware
Google advertisements are being used by a malvertising campaign to spread malware installers that use KoiVM virtualization technology to evade antivirus detection. KoiVM is a plugin for ConfuserEx .NET protector that obfuscates a program's opcodes and then translates them back to their original form when the virtual machine is launched. When put to malicious use, virtualization makes malware analysis challenging and also represents an attempt to evade static analysis mechanisms.
What is the Threat?
The threat is a Google advertisement campaign that is pushing the Formbook information-stealing malware as virtualized .NET loaders dubbed 'MalVirt' which help distribute the final payload without triggering antivirus alerts. The MalVirt loaders pack features to avoid detection such as patching the AmsiScanBuffer function, encoding strings, and detecting if they run in a virtualized environment. The loaders also use a signed Microsoft Process Explorer driver and additional obfuscation layers to make analysis more challenging.
Why is it Noteworthy?
KoiVM virtualization is popular for hacking tools and cracks, but it is seldom used in malware distribution. The security firm believes the new trend in its use might be one of the multiple side effects of Microsoft's disabling of macros in Office. This malvertising campaign is also noteworthy because it is part of an increasing trend of abuse of Google search ads to distribute various malware.
What is the Exposure or Risk?
The exposure or risk is that individuals or organizations who download software from the malicious Google advertisements will become infected with the Formbook information-stealing malware. This malware can steal sensitive information such as passwords and credit card numbers. The malware uses various techniques to evade detection and analysis, making it difficult to detect and remove.
What are the Recommendations?
To avoid becoming infected with the Formbook malware, it is recommended to only download software from trusted and reputable sources. It is also recommended to have up-to-date antivirus software installed and to keep all software and operating systems updated with the latest patches. Additionally, it is important to be cautious when clicking on advertisements and to verify the authenticity of the website before downloading any software.
References
Google Advertisements Promote Antivirus-Evading 'Virtualized' Malware - https://www.sentinelone.com/blog/threat-advisory-google-advertisements-promote-antivirus-evading-virtualized-malware/
Google Ads Delivering Antivirus-Evading Virtualized Malware - https://thehackernews.com/2021/06/google-ads-delivering-antivirus.html
Threat Advisory: MalVirt Loaders with KoiVM Virtualization - https://www.sentinelone.com/blog/threat-advisory-malvirt-loaders-with-koivm-virtualization/
KoiVM - https://github.com/wennyclaw/KoiVM
ConfuserEx - https://github.com/yck1509/ConfuserEx
Formbook Information Stealer - https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/trojans/formbook.html