An ongoing Google ads malicious advertising campaign is spreading malware installers that leverage KoiVM virtualization technology to evade detection when installing the Formbook data stealer. KoiVM is a plugin for the ConfuserEx .NET protector that obfuscates a program’s opcodes so that the virtual machine only understands them. Once launched, the VM will translate the code back to its original form to execute the application. In a Google advertising campaign spotted by Sentinel Labs, threat actors push the Formbook information-stealing malware as virtualized .NET loaders dubbed ‘MalVirt,’ that help distribute the final payload without triggering antivirus alerts.
In addition to the detection avoidance systems used in the malware loader, a new trick is employed by Formbook itself to evade detections. The communication between the malware and the Command and Control (C2) server mixes itself with legitimate HTTP requests to try and hide the content. The malware communicates with those IPs randomly, picking them out of a hardcoded list with domains hosted by various companies. According to researchers, Formbook was communicating with 17 domains, one of them being legit and the other 16 being decoys.
These attacks show that the threat actors are interested in empowering old malware with new tactics, bringing it to new life. Google advertising attacks have become common, and users need to be cautious of the links that they are clicking, not only in email but in the browser as well.