A new malware known as dotRunpeX spreads numerous well-known malware families including Raccoon Stealer, Agent Tesla, LokiBot, Ave Maria, BitRAT, FormBook, NetWire, RedLine Stealer, Vidar, Remcos, and Rhadamanthys. “DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families,” reads a report from security firm Check Point. dotRunpeX has leveraged malicious Google ads on search result pages to direct unsuspecting users searching for popular software like AnyDesk and LastPass to malicious installers. The most recent DotRunpeX artifacts, which were discovered in October 2022, use the KoiVM virtualizing protector to add an additional degree of obfuscation. It’s important to note that the discoveries dovetail with a malicious advertising campaign documented by SentinelOne last month, during which the loader and injector components were collectively referred to as MalVirt.
According to Check Point’s study, “each dotRunpeX sample has an embedded payload of a certain malware family to be injected,” with the injector identifying a list of anti-malware processes that should be terminated. This is made possible by exploiting a weak process explorer driver (procexp.sys) built into dotRunpeX to gain kernel mode execution. The malware may be linked to Russian-speaking threat actors. This conclusion was made based on the language references in the code. The developing threat primarily distributes Raccoon, RedLine, Vidar, Agent Tesla, and FormBook malware families.