The use of malvertising attacks and abuse of Google Ads for distributing malware is nothing new. However, a new malware campaign surprised researchers due to a unique mix of tactics to obfuscate its implementation and execution at several levels. This malvertising campaign uses a new loader malware, dubbed MalVirt, to distribute Formbook and XLoader info-stealer malware.
SentinelOne researchers found a sample of MalVirt loader being pushed via Google Ads, pretending to be genuine ads for the Blender 3D software. This malware distribution campaign uses multiple layers of anti-analysis and anti-detection techniques to evade detection.
- The malicious loaders downloaded via the ads are using invalid digital signatures impersonating Microsoft, DigiCert, Acer, Sectigo, and AVG Technologies USA.
- To cover up the network traffic and evade network detection, the campaign combines the malware’s communications with various decoy HTTP requests.
- It interacts with decoy C2 servers hosted with genuine providers, including Namecheap, Tucows, and Azure.
One specific set of communication used 17 domains, out of which 16 were genuine communication servers used as a decoy and only one was the actual C2 server.
Unique obfuscation tactics
The virtualized MalVirt malware loaders are implemented in .NET and use the KoiVM .NET code protector to obfuscate the malware code.
- KoiVM replaces the original malware code, including the .NET Common Intermediate Language (CIL) instructions with virtualized code, which only the virtualization framework understands.
- This virtualized code is decoded back to the original only at runtime, thus, hiding the malicious code part from the equation during security scans.
- It helps MalVert loaders deliver the malicious payloads, including Formbook and a newer version of XLoader, without raising any alerts on the antivirus scan.
Other ingredients of obfuscation
In addition to the above network and code-level obfuscation, the attackers used a few more wraps of obfuscation to hide their secrets.
- Some of the identified samples performed checks to find whether they are running in a sandbox and virtual machine environment, such as VirtualBox and VMWare, by querying the registry keys.
- Some loader samples used additional checks to bypass the Anti Malware Scan Interface (AMSI) tool.
- The campaign further used a signed driver for Microsoft Process Explorer to modify or kill the genuine Windows processes without raising any red flags.
MalVirt operators have put a significant amount of effort into anti-analysis and anti-detection techniques, which is quite unusual for a Google ads-based malvertising campaign. Moreover, looking at the massive global reach and ease of expansion of such malicious advertising campaigns, experts predict a surge in malware distribution via this method.