Threat Management

Numerous malware strains distributed via new dotRunpeX injector

Threat actors have been leveraging the new dotRunpeX malware injector to facilitate the deployment of several malware families, The Hacker News reports. RedLine, Raccoon, Vidar, Agent Tesla, and FormBook were the most commonly distributed malware families by the .NET-based dotRunpeX injector, which has also been used to deliver LokiBot, PrivateLoader, AsyncRAT, BitRAT, and NetWire malware, according to a Check Point report. The injector has also been associated with Russian-speaking threat actors due to the language used in its code. Malicious Google Ads redirecting to trojanized installers for legitimate software like LastPass and AnyDesk, and phishing emails have been used to distribute the injector, the report showed. Researchers noted that the most recent dotRunpeX injectors had leveraged the KoiVM virtualizing protector for improved obfuscation. "Each dotRunpeX sample has an embedded payload of a certain malware family to be injected," said researchers, who added that the injector also exploits the vulnerable procexp.sys process explorer driver to achieve kernel mode execution.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.