A new malware named dotRunpeX has been used to distribute numerous malware families known as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, rhadamanthysAnd Vidar.

How does DotRunpeX malware work?

“DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used to infect systems with a variety of known malware families“, has stated Check Point in a report released last week.

Given that it is apparently under active development, dotRunpeX arrives as second-stage malware in the series of infections, often distributed via a downloader (also known as a “loader”) that is delivered via phishing emails as malicious attachments ( a classic indeed).

Alternatively, it has been known to exploit malicious Google ads on search results pages to direct unsuspecting users looking for popular software such as AnyDesk and LastPass to copycat sites hosting trojan installers.

The latest damages of this type of malware, first spotted in October 2022, add another layer of obfuscation using KoiVM virtualization protection.

It is worth saying that the findings coincide with a malvertising campaign documented by SentinelOne last month in which the charger and injector components were collectively referred to as MalVirt.

Check Point’s analysis also revealed that “each dotRunpeX sample has an embedded payload of a given malware family to be injected“, with the injection specifying a list of anti-malware processes to kill.

This, in turn, is made possible from abusing a scan driver of vulnerable processes (processexp.sys) built into dotRunpeX to achieve kernel-mode execution.

There are signs that dotRunpeX could be affiliated with malicious Russians based on linguistic references in the code; Malware families most frequently distributed by the emerging threat include RedLine, Raccoon, Vidar, Agent Tesla, and FormBook.

It is important to pay attention while browsing and in case use a good adblocker (ad blocker), on your browsers.

In case the damage is done a good antivirus or antimalware.