Malvirt

MalVirt is a malicious software (malware) that has been observed to be distributed through malvertising attacks, using virtualized .NET malware loaders. The malware infects systems via suspicious downloads, emails, or websites, and once inside, it can disrupt operations, steal personal information, or even hold data hostage for ransom. SentinelOne's senior threat researcher Aleksandar Milenkoski discovered that the MalVirt loaders are distributing malware from the Formbook family, an infostealer malware. This discovery was part of an ongoing campaign at the time of writing, according to a SentinelOne advisory. In the past, Formbook and XLoader malware have typically been distributed via phishing emails and "malspam" via Macro-enabled Office documents. However, the new MalVirt campaign suggests a shift towards these types of malware being distributed through malvertising. The distribution of this malware through the MalVirt loaders is characterized by an unusual amount of applied anti-analysis and anti-detection techniques. Some MalVirt samples also determine whether they are executing in a virtual machine or sandbox environment, often querying registry keys to detect the VirtualBox or VMware environments. The individuals behind the Formbook and XLoader malware are demonstrating their ability to expand beyond phishing and adopt the growing trend of malvertising through the distribution of MalVirt. This includes the use of signatures and countersignatures from companies like Microsoft, Acer, DigiCert, Sectigo, but with invalid certificates or untrusted systems. SentinelOne first encountered a MalVirt sample during a routine Google search for "Blender 3D." The researchers were subsequently struck by the lengths the miscreants went to evade detection and analysis of the loaders and info-stealing malware.