Virtualization: Google ads are spreading malware through it

February 6, 2023
Articles , Business
, , , , ,

A persistent Google Ads malvertising campaign is disseminating malware installers that use KoiVM virtualization technology. The campaign is doing so to avoid the detection of antivirus software when installing the Formbook data stealer.

KoiVM is a ConfuserEx.NET protection plugin that encrypts a program’s opcodes such that only the virtual machine understands them. The virtual machine then translates the opcodes back to their original form when the app is started.

According to an online security website research the virtualization frameworks like KoiVM disguise executables by substituting original code. This includes NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework knows.

A virtual machine engine executes the virtualized code at runtime by translating it into the original code.

When used maliciously, virtualization complicates malware detection and reflects an attempt to escape static analysis techniques.

Sentinel Labs discovered the Formbook information-stealing malware as virtualized.NET loaders dubbed ‘MalVirt’. It disseminates the final payload without activating antivirus warnings in a Google ad campaign.

Sentinel Labs claim that KoiVM virtualization is popular for hacking tools and crackers, but it is rarely utilized in malware dissemination.

According to the cybersecurity website, the increase in its popularity is a side effect of Microsoft disabling macros in Office.


Abusing Google search advertisements

Researchers have detected a rise in the usage of Google search advertising to spread malware. The list comprises RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys stealer, IcedID, Raccoon Stealer, and many more in the last month.

SentinelLabs saw hackers distributing MalVirt loaders in ads that look like the Blender 3D application in an ongoing campaign.

These bogus sites sell downloads with fraudulent digital signatures imitating Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA.

Furthermore, these faulty signatures will not fool Windows into thinking they are signed. However, the MalVirt loaders do include techniques to help them evade detection. In some samples, the AmsiScanBuffer function is altered in amsi.dll to avoid detection by Anti Malware Scan Interface (AMSI).

Moreover, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted in an attempt to escape static detection techniques.

If the loaders determine they are running in a virtualized environment, they stop the execution to avoid detection. MalVirt additionally employs a signed Microsoft Process Explorer driver known as “TaskKill”. It is installed at system startup and it changes ongoing processes to avoid detection.

These loaders encrypt the virtualized code using extra obfuscation layers in KoiVM, helping to prevent decompilation.

SentinelLabs claims that its bespoke KoiVM implementation confuses mainstream devirtualization frameworks. Such as the ‘OldRod’ by obscuring its procedure using arithmetic operations rather than simple assignments.

It is feasible to bypass the obfuscation in these MalVirt loaders and revert the order of KoiVM’s 119 constant variables. However, the added obfuscation makes it impossible, necessitating more human effort because existing automated techniques are ineffective.


Keeping the infrastructure hidden

Formbook employs a novel tactic to mask its genuine C2 (command and control) traffic and IP addresses. Along with using other detection avoidance mechanisms used in the malware loader.

The data-stealing virus mingles its legitimate traffic with numerous “smokescreen” HTTP requests. The content of which is encrypted and encoded so that it does not stand out.

The virus randomly interacts with IP addresses selecting them from a hardcoded list of domains hosted by various firms.

According to SentinelLabs, among the examined samples, Formbook interacted with 17 domains, only one of which was the true C2 server. While the others were only decoys to deceive network traffic monitoring software.

This is a unique system based on an older malware strain. This indicates that its owners want to enhance it with new characteristics to disguise it from security tools and analysts.

It remains unclear whether hackers have converted malspam distribution of Formbook to Google search adverts. However, it is just another example of why consumers should be cautious about the links they click in search results.


Hey, like this? Why not share it with a buddy?

Related Posts

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments

Popular TAGS

Latest Posts


Future-Proofing Top 10 Reasons for Server Backup Cloud Storage

Articles Business

Maximizing Impact: 10 Ways Digital Marketing Benefits Businesses


Game-Changer: Premium SEO Services for Business Growth


How to Resell Domain Names and Make Money in 7 Easy Steps

Articles Cloud Services

Why Cloud VPS Server Hosting is The Future of SEO


What is Azure Cloud Managed Services Benefits for Business


How Affordable Email Hosting Increase Productivity


Vulnerability Assessment Company Benefits, Tools and Process


Unlocking Opportunities: Key Benefits of Domain Names Transfer


Why Microsoft 365 is a Game Changer for Business: Key Benefits


Why Premium SEO Services Are the Future of Marketing Success



Articles Cloud Services

Future of Cloud VPS Server Hosting 2023 | Web Hosting Benefits

Articles Cloud Services

Top Features of FTP Hosting Service that Grow Website Traffic

Articles Business

Why Your Business Needs Explainer Video to Grow Sales


Why Your Business Needs Professional Email Hosting Benefits

Articles Cloud Services

Important Hidden Benefits of Cloud VPS Server Hosting in 2023

Articles Business

Hidden Benefits Of Server Management Services in 2023


10 Features & Benefits of Having Secure Hosted FTP


Benefits of having Cloud Storage Backup for Business

Would love your thoughts, please comment.x