MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation

What's happening?

In “MalVirt Loader Distributes Formbook and XLoader with Unusual Levels of Obfuscation”, it is being reported that the MalVirt Loader is being used as a delivery mechanism to spread two other forms of malware: Formbook and XLoader. The MalVirt Loader is known for its highly obfuscated code, which makes it challenging for security systems to detect and analyze. As a result, it increases the likelihood of successful infections and data theft. The spread of these malware can pose a significant risk to individuals and organizations.

SentinelOne researchers found a sample of MalVirt loader being pushed via Google Ads, pretending to be genuine ads for the Blender 3D software. This malware distribution campaign uses multiple layers of anti-analysis and anti-detection techniques to evade detection.
  • The malicious loaders downloaded via the ads are using invalid digital signatures impersonating Microsoft, DigiCert, Acer, Sectigo, and AVG Technologies USA.
  • To cover up the network traffic and evade network detection, the campaign combines the malware’s communications with various decoy HTTP requests. 
  • It interacts with decoy C2 servers hosted with genuine providers, including Namecheap, Tucows, and Azure.
 
One specific set of communication used 17 domains, out of which 16 were genuine communication servers used as a decoy and only one was the actual C2 server.

Unique obfuscation tactics

The unique obfuscation tactics used by the MalVirt Loader to evade detection by security systems include:

  1. Code obfuscation: This involves modifying the code in a way that makes it difficult to understand and analyze.

  2. Encryption: The malware can use encryption to conceal its code and avoid detection.

  3. Packaging: The malware can be packaged with legitimate software, making it harder to detect.

  4. Fileless attacks: The malware can exist only in memory, leaving no physical trace on the infected device, making it difficult to detect.

These techniques are used by malware authors to evade detection by anti-virus and anti-malware programs and make it easier to spread the malware. It’s important to stay vigilant and implement proper cybersecurity measures to protect against such threats.

Other ingredients of obfuscation

Other ingredients of obfuscation that can be used by malware to evade detection include:

  1. Code splitting: This involves dividing the malware code into several smaller parts that are less noticeable.

  2. Code injection: The malware can inject its code into legitimate processes to conceal its presence.

  3. Code emulation: This involves emulating legitimate code to avoid detection by security systems.

  4. Domain generation algorithms (DGAs): DGAs can be used to dynamically generate domain names, making it difficult to block the malware’s command-and-control (C&C) infrastructure.

  5. Polymorphism: This involves modifying the malware code to appear different each time it is executed, making it difficult for signature-based detection systems to identify it.

These techniques can make it difficult for security systems to detect and analyze the malware, increasing the risk of successful infections and data theft. It’s important to implement proper cybersecurity measures and stay informed about the latest threats to protect against such attacks.

Related posts

Chinese hackers exploited FortiGate Flaw to break the Dutch Military Network

Russian Coldriver hackers are moving beyond phishing with custom malware

Iranian hackers pose as journalists to spy on Israel-Hamas war experts

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More