+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Google Ads Spread Detection Evading Malware

Cyber criminals are abusing the Google Ads system to spread malware in what is known as ‘malvertising’ attacks. As the Google Ads display first before the search results, victims can be conned into clicking onto a fake site when searching for software via Google’s search engine. The malicious websites are designed to impersonate legitimate websites, specifically for popular free and open-source software. The criminals attempt to further trick their victims into clicking on these sites using typosquating techniques, where the name of the website or software is very similar to the legitimate site they are copying, usually only one letter different. The recent increase in this form of attack is credited to Microsoft blocking macros in Office documents by default, so threat actors have needed to find a new way to install their malware onto their victim’s systems. 

 

Various malware payloads have been known to be delivered through Google Ads scams, however a recent investigation by Sentinel Labs has revealed a new attack using a cluster of virtualised .NET malware loaders dubbed MalVirt that can evade detection by antivirus systems when delivering the final payload. The MalVirt loaders used in this attack are based on KoiVM virtual loaders, which is a legitimate virtualising protector of .NET applications. They work to obfuscate executables by replacing the original NET Common Intermediate Language (CIL) code with virtualised code that only a virtualised framework would understand. The virtual machine engine then can execute the code by translating it at runtime, which can allow malware to evade detection as the executable is not identified as malicious before it is run. Although the KoiVM virtualising protector has been known to be used for “hacking tools and cracks”, it is not known to be abused in other attacks to deliver malware payloads. 

 

This malware campaign was found by researchers in the Google Ads results when they searched for ‘Blender 3D’ software. These ads triggered the download of loaders the researchers recognised as Formbook from their obfuscated namespace, class, and function names using numeric characters, such as Birthd1y or Tota2, as observed in other instances of this malware. The file path to these loaders was also disguised as a calculator program, containing file names such as DVS-Calculator-Windows-App-main. The loaders also attempted to impersonate the digital signatures and countersignatures of large tech companies including Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA. However, these signatures were found to be invalid, and the certificates not trusted by the system, in every case looked at during this investigation.  

 

In some cases observed by the researchers, the MalVirt loaders bypassed the Anti Malware Scan Interface (AMSI) that would otherwise detect the malicious PowerShell commands. A patch was implemented to the AmsiScanBuffer function in amsi.dll, and the function and .DLL file were then base-64 encoded and AES-encrypted using hardcoded keys in the MalVirt loaders. The loaders can then decode and decrypt the strings using the hardcoded keys when needed, while avoiding static detection mechanisms. The MalVirt malware will then test if it is being run in a virtual or sandbox environment, and if it is, will halt the execution to avoid analysis. This is performed by querying specific registry keys and evaluating the presence of drivers to test for VirtualBox and VMWare environments. To detect a Wine or Sandboxie sandbox environment the MalVirt searches for the presence of the wine_get_unix_file_name function in the kernel32.dll Windows library or SbieDLL.dll Sandboxie library. 

 

If the execution is not halted, the next stage involves the MalVirt deploying and loading a ‘signed’ Microsoft Process Explorer driver, where the signature certificate is valid, but has expired in 2021. This driver is deployed through MalVirt reflectively loading the assembly 0onfirm, which in turn creates the service TaskKill that deploys the driver. TaskKill can enact process termination with kernel level privileges, which further helps the malware evade detection, by killing the processes used in the detection mechanisms on the victim’s system. The reflective loading of the 0onfirm assembly also triggers the final infostealer malware payload, and the virtualisation of .NET applications using a KoiVM variant.  

 

The legitimate version of the KoiVM virtualising protector causing code virtualisation is already successful at obfuscating the executables, however the version used in this attack is modified for additional obfuscation. In other cases, virtualised code can be de-virtualised by tools that detect the virtualisation routine used in the virtualisation process and use this to recompile the native code. However, MalVirt uses mathematical operations to assign values to variable rather than using a designated virtualisation routine, so there is no routine available for these tools to detect and reverse. MalVirt also uses a distorted order of the constant variables of KoiVM, which further confuses de-virtualisation tools and would lead to an incorrect de-virtualisation if attempted. 

 

Formbook, also known as the newer variant XLoader, has previously been observed in phishing campaigns, including a recent politically motivated campaign targeting Ukranian state organisations via email. Formbook/XLoader is an infostealer malware that is capable of performing keylogging, screenshot theft, stealing of web and other credentials, and staging of additional malware. A second-stage malware is thought to then be introduced to specifically targeted victims only, who are identified through this initial attack. As well as all the obfuscation techniques used by the MalVirt loaders, further protection against detection and analysis is performed by the malware itself. When communicating with the C2 server, Formbook/XLoader randomly selects multiple legitimate domains to send HTTP requests to from a hardcoded list. These decoy HTTP GET and POST requests contain encoded and encrypted content, and disguise the real C2 traffic making it harder to detect. 

 

The Formbook malware family has been distributed previously through phishing emails with attached malicious Office documents, however since Microsoft disabled macros on documents from the internet by default this has no longer been possible. Using malicious Google Ads impersonating legitimate software means that just like with the original phishing scams, the best protection for your systems from this malware is through educating your staff on best cyber security practices. The high number of obfuscation and detection evasion stages used in this MalVirt attack including steps taken by the final infostealer itself mean automated endpoint detection products may not detect and remove this malware before it spreads. Security teams should ensure all staff know to check the validity of a site before accessing it and downloading any content, such as by checking for spelling mistakes in the URL or on the webpage itself. Having an application allow list of authorised software for work devices, and where to download this software from, can further aid in protecting your network from this form of cyber-attack.  

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.