Skip to content

Malvertising campaigns are dropping .NET info-stealers

  • by
  • 2 min read

Malvertising campaigns are dropping .NET info-stealing malware dubbed MalVirt. These are highly obfuscated and distributed as virtualised .NET loaders. The campaign was discovered by SentinelOne researchers during a routine Google ad search for Blender 3D, a popular open-source 3D designing program.

MalVirt uses signatures and countersignatures from Microsoft, Acer, Digicert, Sectigo and several other companies to avoid detection. That said, these signatures are invalid or are created using invalid certificates and hence get flagged on most systems.

According to SentinelOne’s report, to further throw off investigators and disguise its real Command and Control (C2), the malware sends data to multiple random decoy C2 servers hosted with different providers, including Azure, Tucows, Choopa and Namecheap. 

MalVirt uses a variety of domains to hide the actual C2 server. | Source: SentinelLabs

As for system execution, the dropper uses KoiVM virtualisation as an obfuscation method. Once it reaches the target system, it drops an info stealer malware of the Formbook family. This distribution through the MalVirt loader “is characterised by an unusual amount of applied anti-analysis and anti-detection techniques”. 

The Formbook family includes Formbook and its newer version Xloader. These are info-stealing malware with capabilities including keylogging, screenshot theft, ability to steal web and other credentials and can act as a staging platform for additional malware as well. Xloader can also heavily disguise its C2 traffic. 

While its traditionally delivered as an attachment with phishing emails, this new distribution method indicates just how much threat actors have adapted to Microsoft’s decision to block macros by default in Word, Excel and Powerpoint to shut down a commonly abused attack vector. LNK files as well as ISO and RAR attachments are also being used as attack vectors now. 

Malvertising is becoming increasingly popular among threat actors who are now frequently abusing Google Ads to trick unsuspecting users into downloading malware. This is done by redirecting users to a fake site and letting them download a fake version of a popular program which includes malware droppers. 

In the News: Your phone might become a webcam with Android 14

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: