DotRunpeX Uses Process Hollowing to Spread Further Malware

A new type of malware known as dotRunpeX is being used to spread various known malware types like Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.

DotRunpeX is a recently developed injector that utilizes the process hollowing technique, and it infects systems with numerous malware types that are already known. DotRunpeX is still being actively developed and is typically transmitted as a second-stage malware in the infection chain via a downloader, often spread via malicious attachments sent through phishing emails. Alternatively, it also uses malicious Google Ads to redirect unsuspecting users who are searching for popular software like AnyDesk and LastPass to copycat sites containing trojanized installers.

Recently discovered artifacts of dotRunpeX use the KoiVM virtualizing protector to add an extra layer of obfuscation. According to Check Point's analysis, every dotRunpeX sample has a specific embedded payload of malware to be injected, with the injector specifying a list of anti-malware processes to terminate. This is possible by exploiting a vulnerable process explorer driver (procexp.sys) incorporated into dotRunpeX to execute in kernel mode.

There is some evidence that suggests dotRunpeX may be affiliated with Russian-speaking actors based on the language references in the code. The most frequently delivered malware families through this emerging threat include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.

What is Process Hollowing and How is it Used by Malware like dotRunpeX?

Process Hollowing is a technique used by some malware to avoid detection by anti-malware software. It involves creating a new process in a suspended state and replacing its code with malicious code before resuming the process, effectively hijacking the legitimate process to execute malicious code. This way, the malware can run undetected by anti-malware software because it is being executed within a legitimate process.

In the case of dotRunpeX, it is a new malware that utilizes Process Hollowing to inject a variety of known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar into a victim's system. It is a .NET injector that is written in .NET programming language and arrives as a second-stage malware in the infection chain, often delivered through a downloader that is transmitted via phishing emails or malicious attachments. The malware is designed to infect systems with various types of malware that are already known and can terminate anti-malware processes to avoid detection. The Process Hollowing technique allows dotRunpeX to execute malicious code within legitimate processes, making it difficult for anti-malware software to detect the activity.

March 22, 2023
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.