Week 5: FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection

A wave of ad fraud is spreading throughout virtualized .NET loaders, which will install Formbook information-stealer malware to the device. Fraud ads use malicious engines in order to make users download well-known applications, but instead of downloading the desired application, they will get a trojanized malware into their device. In addition, the loader will disguise itself as a legal Microsoft Process Explorer driver, and try to have elevated permission. By gaining access to those privileges, they can terminate applications that could detect its presence in the system. 

For instance, the loaders MalVirt use obfuscated virtualization for anti-analysis and evasion with the Windows Process Exploder driver to terminate processes. This one uses the KoiVM virtualizing protector for .NET applications in order to disguise itself and spread the FormBook malware

Since Microsoft revealed they want to prohibit the execution of macros in Office by default from files obtained from the internet, crimeware actors have been looking for inventive ways to disseminate malware. The popularity of malvertising is concerning because hackers are developing more and more trojanized malware which attempt to evade detection in ways that were never seen before. 

Reference:

https://thehackernews.com/2023/02/formbook-malware-spreads-via.html