The campaign illustrates another option for miscreants who had relied on Microsoft macros
February 2, 2023 By Jeff Burt
Malvertising attacks are being used to distribute virtualized .NET loaders that are highly obfuscated and dropping info-stealer malware.
The loaders, dubbed MalVirt, are implemented in .NET and use virtualization through the legitimate KoiVM virtualizing protector for .NET applications, according to threat researchers with SentinelOne's SentinelLabs. The KoiVM tool helps obfuscate the implementation and execution of the MalVirt loaders.
The loaders are distributing the Formbook info-stealing malware collection as part of an ongoing campaign, the researchers write in a report out this week. Formbook and the newer XLoader version come with a range of threats, from keylogging and screenshot theft to stealing credentials and staging addition malware.