DotRunpeX Malware: A New .NET Injector Distributing Well-Known Malware Families

DotRunpeX is a new malware that is causing significant concerns for businesses and individuals worldwide. This malicious software uses the Process Hollowing technique in .NET to inject several well-known malware families, including Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.

The malware is currently in active development and is being used as a second-stage malware in the infection chain. It is transmitted via phishing emails with malicious attachments or via malicious Google Ads on search result pages. These ads direct unsuspecting users searching for popular software such as AnyDesk and LastPass to copycat sites hosting trojanized installers.

DotRunpeX's latest artifacts have an extra obfuscation layer that uses the KoiVM virtualizing protector, making it difficult to detect and analyze. Each DotRunpeX sample has an embedded payload of a specific malware family to be injected, and the injector specifies a list of anti-malware processes to be terminated. The malware can execute kernel mode operations by abusing a vulnerable process explorer driver (procexp.sys) incorporated into it.

Researchers have found language references in the code, indicating that this malware may be affiliated with Russian-speaking actors. The most frequently delivered malware families associated with DotRunpeX include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.

Malware Families Delivered by DotRunpeX Source: https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized-net-injector-used-in-the-wild/

To protect against such threats, it is crucial to avoid opening suspicious email attachments or downloading software from unverified sources. Installing a reputable antivirus software and keeping it up-to-date can also help protect against such threats.

The emergence of the DotRunpeX malware highlights the need for enhanced cybersecurity measures to protect against sophisticated malware attacks. It is essential to stay informed about the latest threats and take proactive steps to safeguard against them.