A newly discovered .NET malware injector is being used in the wild to deliver different malware families, primarily related to stealers, RATs, loaders, and downloaders. Dubbed dotRunpeX, the public information about this threat was first disclosed in October 2022 and so far, it has two versions.

Detailed analysis

Based on the compilation of timestamps, the malware rose to prominence between November 2022 and January 2023.
  • The highest number of attacks was observed in December 2022.
  • As the malware injector continues to evolve, researchers have observed its usage in the second stage of the infection chain in dozens of campaigns.
  • The malware leverages the process hollowing technique to hide its presence during the infection process.

Infection vector

The first-stage loaders are primarily delivered via phishing emails that contain malicious attachments in the form of .iso, .img, .zip, or .7z files. 
  • To deceive victims, the emails pretend to be transaction information from a bank, which can be viewed by clicking on the attached files. 
  • In some cases, threat actors abused Google Ads to promote fake websites masquerading as regular program utilities such as Galaxy Swapper, OBS Studio, Onion Browser, Brave Wallet, LastPass, AnyDesk, and MSI Afterburner.
  • Clicking on these fake sites leads to the download of dotRunpeX injector that further deploys different malware. 
  • Among the malware delivered by dotRunpeX include AgentTesla, ArrowRAT, AsyncRAT, AveMaria, BitRAT, Formbook, Lokibot, NetWire, PrivateLoader, LgoogLoader, QuasarRAT, Remcos, Vidar, and others.

The bottom line 

As Check Point researchers continue to monitor the evolution of the malware injector, organizations must take action on their part by blocking the IOCs associated with dotRunpeX. Additionally, it is recommended to have secure email gateways to check inbound, outbound, and internal emails from phishing attacks.
Cyware Publisher

Publisher

Cyware