A New Threat Emerges: dotRunpeX Malware Injector
A new malware injector, dubbed dotRunpeX, has been discovered in the wild, and it is currently being used to deliver a variety of malware families, including stealers, RATs, loaders, and downloaders. This threat was first disclosed in October 2022, and since then, two versions have been detected. The highest number of attacks were observed in December 2022.
The dotRunpeX malware injector leverages the process hollowing technique to hide its presence during the infection process, making it more difficult to detect. Researchers have observed its usage in the second stage of the infection chain in dozens of campaigns, indicating that it is a persistent threat that organizations must be aware of.
Infection Vector
The first-stage loaders are primarily delivered via phishing emails that contain malicious attachments in the form of .iso, .img, .zip, or .7z files. These emails often pretend to be transaction information from a bank, which can be viewed by clicking on the attached files. In some cases, threat actors abused Google Ads to promote fake websites masquerading as regular program utilities such as Galaxy Swapper, OBS Studio, Onion Browser, Brave Wallet, LastPass, AnyDesk, and MSI Afterburner. Clicking on these fake sites leads to the download of dotRunpeX injector that further deploys different malware.
Malware Delivered by dotRunpeX
Among the malware delivered by dotRunpeX include AgentTesla, ArrowRAT, AsyncRAT, AveMaria, BitRAT, Formbook, Lokibot, NetWire, PrivateLoader, LgoogLoader, QuasarRAT, Remcos, Vidar, and others. These malware families are designed to steal sensitive information, provide remote access to the attacker, or download additional malware onto the infected device.
Action to Take
As Check Point researchers continue to monitor the evolution of the malware injector, organizations must take action on their part by blocking the IOCs associated with dotRunpeX. Additionally, it is recommended to have secure email gateways to check inbound, outbound, and internal emails from phishing attacks.
The dotRunpeX malware injector is a persistent threat that organizations must be aware of. It is currently being used to deliver a variety of malware families, primarily related to stealers, RATs, loaders, and downloaders. To protect your organization from this threat, it is recommended to stay vigilant and take proactive measures to block IOCs associated with dotRunpeX.
