DotRunpeX

DotRunpeX is a recently discovered malware that has been identified as a distributor for multiple known malware families. The threat is a new type of injector that has been developed using the Process Hollowing technique and written in .NET programming language. The malware is designed to infect systems with various types of malicious software. Details about the threat were revealed in a report by the security researcher

DotRunpeX is said to be currently in active development and typically arrives as a second-stage malware in the infection chain. It's commonly deployed via a downloader, also known as a loader, which is transmitted to victims via phishing emails containing malicious attachments. Once the loader is executed, it initiates the injection of DotRunpeX into the system, which then facilitates the installation of the additional malware families. The threat actors may rely on DotRunpeX to deploy next-stage payloads from the Agent Tesla, Ave Maria, BitRAT, FormBook, RedLine Stealer, LokiBot, XWorm, NetWire, Raccoon Stealer, Remcos, Rhadamanthys, and Vidar families.

DotRunpeX may Leverage Unsafe Google Advertisements

DotRunpeX is a malware that is known to use a variety of tactics to infect users' devices. One of the methods that DotRunpeX has been observed to use is leveraging malicious Google Ads on search result pages to lure unsuspecting users into clicking on copycat websites that host Trojanized installers. This is done by directing users searching for popular software such as AnyDesk and LastPass to these fake websites.

Recent analysis of DotRunpeX has revealed that the malware has been using an extra layer of obfuscation by using the KoiVM virtualizing protector in the latest artifacts that were first spotted in October 2022. Additionally, each DotRunpeX sample has been found to have an embedded payload of a certain malware family to be injected. The malware uses a specified list of anti-malware processes to be terminated, which is possible due to the abuse of a vulnerable process explorer driver (procexp.sys) that is included in DotRunpeX to obtain kernel mode execution.

Make Sure to Have Sufficient Security against Infostealers and Trojans

Infostealers and Trojans are two types of malicious software that pose significant dangers to users' devices and personal information.

Infostealers, as the name suggests, are designed to steal sensitive information such as login credentials, credit card details, and other personal data. They can be used to monitor users' online activities, capture keystrokes, and steal data from web browsers, email clients, and other applications. Infostealers are often delivered through email attachments, malicious links, or bundled with other software, and can remain undetected for long periods of time, allowing attackers to continuously collect data.

Trojans, on the other hand, are a type of malware that are designed to appear harmless or useful, while actually containing hidden malicious functions. They can be used to gain unauthorized access to a user's device, steal sensitive data, or damage files and software. Trojans can remain undetected on the breached devices for prolonged periods of time until being activated.