Virtualization: Google ads are spreading malware through it

Published February 6, 2023
Author: Ash Khan

Virtualization: Google ads are spreading malware through it

Published February 6, 2023
Author: Ash Khan

A persistent Google Ads malvertising campaign is disseminating malware installers that use KoiVM virtualization technology. The campaign is doing so to avoid the detection of antivirus software when installing the Formbook data stealer.

KoiVM is a ConfuserEx.NET protection plugin that encrypts a program’s opcodes such that only the virtual machine understands them. The virtual machine then translates the opcodes back to their original form when the app is started.

According to an online security website research the virtualization frameworks like KoiVM disguise executables by substituting original code. This includes NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework knows.

A virtual machine engine executes the virtualized code at runtime by translating it into the original code.

When used maliciously, virtualization complicates malware detection and reflects an attempt to escape static analysis techniques.

Sentinel Labs discovered the Formbook information-stealing malware as virtualized.NET loaders dubbed ‘MalVirt’. It disseminates the final payload without activating antivirus warnings in a Google ad campaign.

Sentinel Labs claim that KoiVM virtualization is popular for hacking tools and crackers, but it is rarely utilized in malware dissemination.

According to the cybersecurity website, the increase in its popularity is a side effect of Microsoft disabling macros in Office.


Abusing Google search advertisements

Researchers have detected a rise in the usage of Google search advertising to spread malware. The list comprises RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys stealer, IcedID, Raccoon Stealer, and many more in the last month.

SentinelLabs saw hackers distributing MalVirt loaders in ads that look like the Blender 3D application in an ongoing campaign.

These bogus sites sell downloads with fraudulent digital signatures imitating Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA.

Furthermore, these faulty signatures will not fool Windows into thinking they are signed. However, the MalVirt loaders do include techniques to help them evade detection. In some samples, the AmsiScanBuffer function is altered in amsi.dll to avoid detection by Anti Malware Scan Interface (AMSI).

Moreover, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted in an attempt to escape static detection techniques.

If the loaders determine they are running in a virtualized environment, they stop the execution to avoid detection. MalVirt additionally employs a signed Microsoft Process Explorer driver known as “TaskKill”. It is installed at system startup and it changes ongoing processes to avoid detection.

These loaders encrypt the virtualized code using extra obfuscation layers in KoiVM, helping to prevent decompilation.

SentinelLabs claims that its bespoke KoiVM implementation confuses mainstream devirtualization frameworks. Such as the ‘OldRod’ by obscuring its procedure using arithmetic operations rather than simple assignments.

It is feasible to bypass the obfuscation in these MalVirt loaders and revert the order of KoiVM’s 119 constant variables. However, the added obfuscation makes it impossible, necessitating more human effort because existing automated techniques are ineffective.


Keeping the infrastructure hidden

Formbook employs a novel tactic to mask its genuine C2 (command and control) traffic and IP addresses. Along with using other detection avoidance mechanisms used in the malware loader.

The data-stealing virus mingles its legitimate traffic with numerous “smokescreen” HTTP requests. The content of which is encrypted and encoded so that it does not stand out.

The virus randomly interacts with IP addresses selecting them from a hardcoded list of domains hosted by various firms.

According to SentinelLabs, among the examined samples, Formbook interacted with 17 domains, only one of which was the true C2 server. While the others were only decoys to deceive network traffic monitoring software.

This is a unique system based on an older malware strain. This indicates that its owners want to enhance it with new characteristics to disguise it from security tools and analysts.

It remains unclear whether hackers have converted malspam distribution of Formbook to Google search adverts. However, it is just another example of why consumers should be cautious about the links they click in search results.