A persistent Google ads malvertising campaign is disseminating malware installers that use KoiVM virtualization technology to avoid detection when installing the Formbook data stealer.
KoiVM is a ConfuserEx.NET protector plugin that obfuscates a program’s opcodes so that only the virtual machine understands them. The virtual machine then translates the opcodes back to their original form when the application is launched.
“Virtualization frameworks like KoiVM obfuscate executables by replacing original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands,” according to a new SentinelLabs report.
“A virtual machine engine executes the virtualized code at runtime by translating it into the original code.”
“When used maliciously, virtualization complicates malware analysis and represents an attempt to evade static analysis mechanisms.”
Sentinel Labs discovered the Formbook information-stealing malware as virtualized.NET loaders dubbed ‘MalVirt,’ which help distribute the final payload without triggering antivirus alerts in a Google advertising campaign.
According to Sentinel Labs, while KoiVM virtualization is popular for hacking tools and cracks, it is rarely used in malware distribution.
Instead, the security firm believes the new trend in its use is one of the many unintended consequences of Microsoft’s decision to disable macros in Office.
Abusing Google search ads
Researchers have seen an increase in the use of Google search ads to distribute malware such as RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys stealer, IcedID, Raccoon Stealer, and many others in the last month.
SentinelLabs observed threat actors distributing MalVirt loaders in ads purporting to be for the Blender 3D software in an ongoing campaign.
These bogus sites offer downloads with invalid digital signatures impersonating Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA.
While these invalid signatures will not fool Windows into thinking they are signed, the MalVirt loaders do include features to help them avoid detection.
“For example, some samples patch the AmsiScanBuffer function in amsi.dll to avoid detection by the Anti Malware Scan Interface (AMSI), which detects malicious PowerShell commands,” researcher A. Milenkoski explains.
“Furthermore, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted in an attempt to evade static detection mechanisms.”
The loaders can also detect whether they are running in a virtualized environment by querying specific registry keys, and if so, the execution is halted to avoid detection.
MalVirt also employs a signed Microsoft Process Explorer driver known as “TaskKill,” which is loaded at system startup and allows it to modify running processes in order to avoid detection.
To avoid decompilation of the virtualized code, the loaders use a modified version of KoiVM with additional obfuscation layers, making decryption even more difficult.
SentinelLabs claims that this custom KoiVM implementation confuses standard devirtualization frameworks such as the ‘OldRod’ by obfuscating its routine with arithmetic operations rather than simple assignments.
Milenkoski claims that it is possible to bypass the obfuscation in these MalVirt loaders and revert the order of KoiVM’s 119 constant variables.
However, the additional obfuscation makes it difficult, necessitating extensive manual labour because existing automated tools are ineffective.
Hiding the infrastructure
In addition to the detection avoidance systems used in the malware loader, Formbook employs a new trick to disguise its real C2 (command and control) traffic and IP addresses.
The data-stealing malware mingles its legitimate traffic with various “smokescreen” HTTP requests, the content of which is encrypted and encoded so that it does not stand out.
The malware communicates with those IP addresses at random, selecting them from a hardcoded list of domains hosted by various companies.
According to SentinelLabs, in the samples it examined, Formbook communicated with 17 domains, only one of which was the actual C2 server, and the rest were merely decoys to confuse network traffic monitoring tools.
This is a novel system based on an older malware strain, indicating that its operators are interested in enhancing it with new features that will help it hide from security tools and analysts.
It remains to be seen whether threat actors have completely switched malspam distribution of Formbook to Google search advertisements, but it is yet another example of why users should be cautious about the links they click in search results.