Hackers Abuse Google Ads to Send Antivirus Avoiding Malware
Researchers Warn of a Surge in Abusing Google Search Ads to Distribute Malware.
Last updated on September 28, 2023
A Google ads malvertising campaign was found using KoiVM virtualization technology to install the Formbook data stealer without being spotted by antiviruses.
MalVirt loaders are promoted by threat actors in advertising that appears to be for the Blender 3D program. The downloads presented by the fraudulent sites try spoofing Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA`s digital signatures.
Although Windows will not display these incorrect signatures as being signed, the MalVirt loaders still contain capabilities to evade detection. Cyber researchers explained that:
Some samples patch the AmsiScanBuffer function implemented in amsi.dll to bypass the Anti Malware Scan Interface (AMSI) that detects malicious PowerShell commands.
Further, in an attempt to evade static detection mechanisms, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted.
The KoiVM plugin for ConfuserEx.NET protects programs by obfuscating their opcodes so that only the virtual machine can decode them. The virtual machine transforms the opcodes back to their original form when the application is started so that it can be run.
According to cyber researchers:
Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands
The virtualized code is executed by converting it into the original code at runtime using a virtual machine engine.
When hackers use virtualization, it complicates malware investigation and also shows an effort to elude static analysis tools. For one of the analysed Google Ads campaigns the adversary pushed the Formbook data-stealing malware as virtualized .NET loaders dubbed ‘MalVirt,’ to help spread the final payload but go unnoticed by the antivirus.
Although KoiVM virtualization is largely employed for hacking tools and cracks, deploying malware is not its usual goal. This unusual way of using KoiVM could be one of the side effects that came up after Microsoft disabled macros in Office.
Formbook`s New Tricks
Formbook also was discovered using a new trick for covering its real C2 (command and control) traffic and IP addresses. The data-stealing malware combines its actual traffic with a variety of “smokescreen” HTTP requests, each of which has its content encoded to blend in with the background traffic. The malware randomly selects these IPs from a hardcoded list of domains hosted by multiple companies and interacts with them.
According to researchers, Formbook pretended to be communicating with 17 domains, while only one of them was the C2 server. The other ones were just used to trick network traffic monitoring tools.
Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.