DotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows

DotRunpeX is one of the new and stealthiest .NET injectors that employs the “Process Hollowing” method, through which this malware distributes a diverse range of other malware strains.

Cybersecurity researchers at Check Point recently revealed the real-world use and campaign-related infection paths of DotRunpeX malware after closely monitoring and observing the DotRunpeX malware. 

Additionally, the researchers confirmed in a report they submitted to Cyber Security News that the DotRunpeX malware injector is developing and evolving quickly.

The new version of dotRunpeX is powered by the following features.

• Protected by a customized version of the KoiVM virtualizer
• Highly configurable (disabling Anti-Malware services, Anti-VM, Anti-Sandbox, persistence settings, key for payload decryption, UAC bypass methods)
• More UAC Bypass techniques
• Using simple XOR to decrypt the main payload to be injected (omitted in the latest developed versions)
• Abusing procexp driver (Sysinternals) to kill protected processes (Anti-Malware services)
• Signs of being Russian based – procexp driver name Иисус.sys translated as “jesus.sys”

Malware families delivered by DotRunpeX

Here below, we have mentioned all the malware families that DotRunpeX delivers:

• AgentTesla
• ArrowRAT
• AsyncRat
• AveMaria/WarzoneRAT
• BitRAT
• Formbook
• LgoogLoader
• Lokibot
• NetWire
• PrivateLoader
• QuasarRAT
• RecordBreaker – Raccoon Stealer 2.0
• Redline
• Remcos
• Rhadamanthys
• SnakeKeylogger
• Vidar
• XWorm

Technical Analysis

DotRunpeX often follows the initial infection via distinct .NET loaders in phishing emails or disguised utility sites. It exploits Google Ads and targets rivals with trojanized malware builder tools.

The users who are already searching for the following popular software were redirected by this injector to fake cloned and malicious websites mimicking this software by exploiting Google Ads:

• AnyDesk
• LastPass

Beyond usual infection routes, a unique DotRunpeX case emerged; a DotRunpeX user targeted both regular victims and potential adversaries using a trojanized Redline builder (Redline_20_2_crack.rar) with hidden DotRunpeX as ‘extra’.

Apart from this, a customized version of the KoiVM virtualizer protects the new version of DotRunpeX, and it’s highly configurable.

While the most notable similarity between the new and old ones is their 64-bit executable files, they inject various types of malware families.

DotRunpeX evades the AV solutions using “procexp.sys” to close the protected process handles. It also effectively kills all the active Anti-Malware services.

With ongoing evolution, the DotRunpeX injector is gaining features steadily, attracting increasing attention from security analysts and threat actors.