Cybersecurity firm Check Point has reported on a new malware called dotRunpeX, which is being used to distribute various malware families, including Agent Tesla, BitRAT, FormBook, and Raccoon Stealer, among others.
The new malware is an injector written in .NET using the Process Hollowing technique, which infects systems with various known malware families.
DotRunpeX is in active development, and it arrives as a second-stage malware in the infection chain, often deployed via a downloader or loader that is transmitted through phishing emails as malicious attachments.
In addition to phishing emails, the malware is known to leverage malicious Google Ads on search result pages to direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers.
The latest DotRunpeX artifacts, first spotted in October 2022, add an extra obfuscation layer by using the KoiVM virtualizing protector. Check Point’s analysis has further revealed that each dotRunpeX sample has an embedded payload of a certain malware family to be injected, with the injector specifying a list of anti-malware processes to be terminated.
The malware is said to be in active development, and it is using a vulnerable process explorer driver (procexp.sys) that is incorporated into dotRunpeX to obtain kernel mode execution.
Check Point’s analysis suggests that the malware could be affiliated with Russian-speaking actors based on the language references in the code.
The most frequently delivered malware families delivered by the emerging threat include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.
The findings are in line with a malvertising campaign documented by SentinelOne last month, in which the loader and injector components were collectively referred to as MalVirt.
