MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation

MalVirt Loader is a malicious software that is used to distribute other forms of malware such as Formbook and XLoader. It is known for its high level of obfuscation, making it difficult to detect and analyze. This can increase the risk of successful infections and data theft for individuals and organizations. It's important to implement proper cybersecurity measures, such as regularly updating software and using anti-virus/anti-malware programs, to protect against such threats.

by Vikash Kumawat
1 comment 358 views

What's happening?

In “MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation”, it is being reported that the MalVirt Loader is being used as a delivery mechanism to spread two other forms of malware: Formbook and XLoader. The MalVirt Loader is known for its highly obfuscated code, which makes it challenging for security systems to detect and analyze. As a result, it increases the likelihood of successful infections and data theft. The spread of these malware can pose a significant risk to individuals and organizations.

SentinelOne researchers found a sample of MalVirt loader being pushed via Google Ads, pretending to be genuine ads for the Blender 3D software. This malware distribution campaign uses multiple layers of anti-analysis and anti-detection techniques to evade detection.
  • The malicious loaders downloaded via the ads are using invalid digital signatures impersonating Microsoft, DigiCert, Acer, Sectigo, and AVG Technologies USA.
  • To cover up the network traffic and evade network detection, the campaign combines the malware’s communications with various decoy HTTP requests. 
  • It interacts with decoy C2 servers hosted with genuine providers, including Namecheap, Tucows, and Azure.
 
One specific set of communication used 17 domains, out of which 16 were genuine communication servers used as a decoy and only one was the actual C2 server.

Unique obfuscation tactics

The unique obfuscation tactics used by the MalVirt Loader to evade detection by security systems include:

  1. Code obfuscation: This involves modifying the code in a way that makes it difficult to understand and analyze.

  2. Encryption: The malware can use encryption to conceal its code and avoid detection.

  3. Packaging: The malware can be packaged with legitimate software, making it harder to detect.

  4. Fileless attacks: The malware can exist only in memory, leaving no physical trace on the infected device, making it difficult to detect.

These techniques are used by malware authors to evade detection by anti-virus and anti-malware programs and make it easier to spread the malware. It’s important to stay vigilant and implement proper cybersecurity measures to protect against such threats.

Other ingredients of obfuscation

Other ingredients of obfuscation that can be used by malware to evade detection include:

  1. Code splitting: This involves dividing the malware code into several smaller parts that are less noticeable.

  2. Code injection: The malware can inject its code into legitimate processes to conceal its presence.

  3. Code emulation: This involves emulating legitimate code to avoid detection by security systems.

  4. Domain generation algorithms (DGAs): DGAs can be used to dynamically generate domain names, making it difficult to block the malware’s command-and-control (C&C) infrastructure.

  5. Polymorphism: This involves modifying the malware code to appear different each time it is executed, making it difficult for signature-based detection systems to identify it.

These techniques can make it difficult for security systems to detect and analyze the malware, increasing the risk of successful infections and data theft. It’s important to implement proper cybersecurity measures and stay informed about the latest threats to protect against such attacks.

You may also like

1 comment

binance registrácia November 5, 2024 - 3:13 am

Thank you for your sharing. I am worried that I lack creative ideas. It is your article that makes me full of hope. Thank you. But, I have a question, can you help me?

Reply

Leave a Comment

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

-
00:00
00:00
Update Required Flash plugin
-
00:00
00:00