New DotRunpeX Malware Injector Spotted In The Wild

A New Threat Emerges: dotRunpeX Malware Injector

A new malware injector, dubbed dotRunpeX, has been discovered in the wild, and it is currently being used to deliver a variety of malware families, including stealers, RATs, loaders, and downloaders. This threat was first disclosed in October 2022, and since then, two versions have been detected. The highest number of attacks were observed in December 2022.

The dotRunpeX malware injector leverages the process hollowing technique to hide its presence during the infection process, making it more difficult to detect. Researchers have observed its usage in the second stage of the infection chain in dozens of campaigns, indicating that it is a persistent threat that organizations must be aware of.

Infection Vector

The first-stage loaders are primarily delivered via phishing emails that contain malicious attachments in the form of .iso, .img, .zip, or .7z files. These emails often pretend to be transaction information from a bank, which can be viewed by clicking on the attached files. In some cases, threat actors abused Google Ads to promote fake websites masquerading as regular program utilities such as Galaxy Swapper, OBS Studio, Onion Browser, Brave Wallet, LastPass, AnyDesk, and MSI Afterburner. Clicking on these fake sites leads to the download of dotRunpeX injector that further deploys different malware.

Malware Delivered by dotRunpeX

Among the malware delivered by dotRunpeX include AgentTesla, ArrowRAT, AsyncRAT, AveMaria, BitRAT, Formbook, Lokibot, NetWire, PrivateLoader, LgoogLoader, QuasarRAT, Remcos, Vidar, and others. These malware families are designed to steal sensitive information, provide remote access to the attacker, or download additional malware onto the infected device.

Action to Take

As Check Point researchers continue to monitor the evolution of the malware injector, organizations must take action on their part by blocking the IOCs associated with dotRunpeX. Additionally, it is recommended to have secure email gateways to check inbound, outbound, and internal emails from phishing attacks.

The dotRunpeX malware injector is a persistent threat that organizations must be aware of. It is currently being used to deliver a variety of malware families, primarily related to stealers, RATs, loaders, and downloaders. To protect your organization from this threat, it is recommended to stay vigilant and take proactive measures to block IOCs associated with dotRunpeX.

LiteSpeed Cache vs WP Rocket

Shared Web Hosting: Is It the Right Choice for Your Website?

Memorial Day Weekend Deals

Crucial Things to Know When Choosing Web Hosting Services

Switching to cPanel’s Jupiter Theme

Automatically Clear Elementor Cache and Regenerate CSS

Website Speedtest macOS Shortcuts

New method accelerates data retrieval in huge databases

LiteSpeed Cache Settings for Voxel

Are You Using Redis Cache on Your Website?

Automatically Clear Elementor Cache and Regenerate CSS

Unlock the Full Potential of Elementor with These 10 Advanced Tips

Master the Art of Web Design with Elementor Pro

What Is CSS Print Method in the Elementor Settings? Which Should I Choose?

Remove Unused Elementor Widgets