In “MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation”, it is being reported that the MalVirt Loader is being used as a delivery mechanism to spread two other forms of malware: Formbook and XLoader. The MalVirt Loader is known for its highly obfuscated code, which makes it challenging for security systems to detect and analyze. As a result, it increases the likelihood of successful infections and data theft. The spread of these malware can pose a significant risk to individuals and organizations.
- The malicious loaders downloaded via the ads are using invalid digital signatures impersonating Microsoft, DigiCert, Acer, Sectigo, and AVG Technologies USA.
- To cover up the network traffic and evade network detection, the campaign combines the malware’s communications with various decoy HTTP requests.
- It interacts with decoy C2 servers hosted with genuine providers, including Namecheap, Tucows, and Azure.
The unique obfuscation tactics used by the MalVirt Loader to evade detection by security systems include:
Code obfuscation: This involves modifying the code in a way that makes it difficult to understand and analyze.
Encryption: The malware can use encryption to conceal its code and avoid detection.
Packaging: The malware can be packaged with legitimate software, making it harder to detect.
Fileless attacks: The malware can exist only in memory, leaving no physical trace on the infected device, making it difficult to detect.
These techniques are used by malware authors to evade detection by anti-virus and anti-malware programs and make it easier to spread the malware. It’s important to stay vigilant and implement proper cybersecurity measures to protect against such threats.
Other ingredients of obfuscation that can be used by malware to evade detection include:
Code splitting: This involves dividing the malware code into several smaller parts that are less noticeable.
Code injection: The malware can inject its code into legitimate processes to conceal its presence.
Code emulation: This involves emulating legitimate code to avoid detection by security systems.
Domain generation algorithms (DGAs): DGAs can be used to dynamically generate domain names, making it difficult to block the malware’s command-and-control (C&C) infrastructure.
Polymorphism: This involves modifying the malware code to appear different each time it is executed, making it difficult for signature-based detection systems to identify it.
These techniques can make it difficult for security systems to detect and analyze the malware, increasing the risk of successful infections and data theft. It’s important to implement proper cybersecurity measures and stay informed about the latest threats to protect against such attacks.
