Cyber criminals are abusing the Google Ads system to spread malware in what is known as ‘malvertising’ attacks. As the Google Ads display first before the search results, victims can be conned into clicking onto a fake site when searching for software via Google’s search engine. The malicious websites are designed to impersonate legitimate websites, specifically for popular free and open-source software. The criminals attempt to further trick their victims into clicking on these sites using typosquating techniques, where the name of the website or software is very similar to the legitimate site they are copying, usually only one letter different. The recent increase in this form of attack is credited to Microsoft blocking macros in Office documents by default, so threat actors have needed to find a new way to install their malware onto their victim’s systems. 

 

Various malware payloads have been known to be delivered through Google Ads scams, however a recent investigation by Sentinel Labs has revealed a new attack using a cluster of virtualised .NET malware loaders dubbed MalVirt that can evade detection by antivirus systems when delivering the final payload. The MalVirt loaders used in this attack are based on KoiVM virtual loaders, which is a legitimate virtualising protector of .NET applications. They work to obfuscate executables by replacing the original NET Common Intermediate Language (CIL) code with virtualised code that only a virtualised framework would understand. The virtual machine engine then can execute the code by translating it at runtime, which can allow malware to evade detection as the executable is not identified as malicious before it is run. Although the KoiVM virtualising protector has been known to be used for “hacking tools and cracks”, it is not known to be abused in other attacks to deliver malware payloads. 

 

This malware campaign was found by researchers in the Google Ads results when they searched for ‘Blender 3D’ software. These ads triggered the download of loaders the researchers recognised as Formbook from their obfuscated namespace, class, and function names using numeric characters, such as Birthd1y or Tota2, as observed in other instances of this malware. The file path to these loaders was also disguised as a calculator program, containing file names such as DVS-Calculator-Windows-App-main. The loaders also attempted to impersonate the digital signatures and countersignatures of large tech companies including Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA. However, these signatures were found to be invalid, and the certificates not trusted by the system, in every case looked at during this investigation.  

 

In some cases observed by the researchers, the MalVirt loaders bypassed the Anti Malware Scan Interface (AMSI) that would otherwise detect the malicious PowerShell commands. A patch was implemented to the AmsiScanBuffer function in amsi.dll, and the function and .DLL file were then base-64 encoded and AES-encrypted using hardcoded keys in the MalVirt loaders. The loaders can then decode and decrypt the strings using the hardcoded keys when needed, while avoiding static detection mechanisms. The MalVirt malware will then test if it is being run in a virtual or sandbox environment, and if it is, will halt the execution to avoid analysis. This is performed by querying specific registry keys and evaluating the presence of drivers to test for VirtualBox and VMWare environments. To detect a Wine or Sandboxie sandbox environment the MalVirt searches for the presence of the wine_get_unix_file_name function in the kernel32.dll Windows library or SbieDLL.dll Sandboxie library. 

 

If the execution is not halted, the next stage involves the MalVirt deploying and loading a ‘signed’ Microsoft Process Explorer driver, where the signature certificate is valid, but has expired in 2021. This driver is deployed through MalVirt reflectively loading the assembly 0onfirm, which in turn creates the service TaskKill that deploys the driver. TaskKill can enact process termination with kernel level privileges, which further helps the malware evade detection, by killing the processes used in the detection mechanisms on the victim’s system. The reflective loading of the 0onfirm assembly also triggers the final infostealer malware payload, and the virtualisation of .NET applications using a KoiVM variant.  

 

The legitimate version of the KoiVM virtualising protector causing code virtualisation is already successful at obfuscating the executables, however the version used in this attack is modified for additional obfuscation. In other cases, virtualised code can be de-virtualised by tools that detect the virtualisation routine used in the virtualisation process and use this to recompile the native code. However, MalVirt uses mathematical operations to assign values to variable rather than using a designated virtualisation routine, so there is no routine available for these tools to detect and reverse. MalVirt also uses a distorted order of the constant variables of KoiVM, which further confuses de-virtualisation tools and would lead to an incorrect de-virtualisation if attempted. 

 

Formbook, also known as the newer variant XLoader, has previously been observed in phishing campaigns, including a recent politically motivated campaign targeting Ukranian state organisations via email. Formbook/XLoader is an infostealer malware that is capable of performing keylogging, screenshot theft, stealing of web and other credentials, and staging of additional malware. A second-stage malware is thought to then be introduced to specifically targeted victims only, who are identified through this initial attack. As well as all the obfuscation techniques used by the MalVirt loaders, further protection against detection and analysis is performed by the malware itself. When communicating with the C2 server, Formbook/XLoader randomly selects multiple legitimate domains to send HTTP requests to from a hardcoded list. These decoy HTTP GET and POST requests contain encoded and encrypted content, and disguise the real C2 traffic making it harder to detect. 

 

The Formbook malware family has been distributed previously through phishing emails with attached malicious Office documents, however since Microsoft disabled macros on documents from the internet by default this has no longer been possible. Using malicious Google Ads impersonating legitimate software means that just like with the original phishing scams, the best protection for your systems from this malware is through educating your staff on best cyber security practices. The high number of obfuscation and detection evasion stages used in this MalVirt attack including steps taken by the final infostealer itself mean automated endpoint detection products may not detect and remove this malware before it spreads. Security teams should ensure all staff know to check the validity of a site before accessing it and downloading any content, such as by checking for spelling mistakes in the URL or on the webpage itself. Having an application allow list of authorised software for work devices, and where to download this software from, can further aid in protecting your network from this form of cyber-attack.