Friday, February 14, 2025
HomeEmailDotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows

DotRunpeX Malware Injector Widely Delivers Known Malware Families to Attack Windows

Published on

SIEM as a Service

Follow Us on Google News

DotRunpeX is one of the new and stealthiest .NET injectors that employs the “Process Hollowing” method, through which this malware distributes a diverse range of other malware strains.

Cybersecurity researchers at Check Point recently revealed the real-world use and campaign-related infection paths of DotRunpeX malware after closely monitoring and observing the DotRunpeX malware. 

Additionally, the researchers confirmed in a report they submitted to Cyber Security News that the DotRunpeX malware injector is developing and evolving quickly.

The new version of dotRunpeX is powered by the following features.

  • Protected by a customized version of the KoiVM virtualizer
  • Highly configurable (disabling Anti-Malware services, Anti-VM, Anti-Sandbox, persistence settings, key for payload decryption, UAC bypass methods)
  • More UAC Bypass techniques
  • Using simple XOR to decrypt the main payload to be injected (omitted in the latest developed versions)
  • Abusing procexp driver (Sysinternals) to kill protected processes (Anti-Malware services)
  • Signs of being Russian based – procexp driver name Иисус.sys translated as “jesus.sys

Malware families delivered by DotRunpeX

Here below, we have mentioned all the malware families that DotRunpeX delivers:

  • AgentTesla
  • ArrowRAT
  • AsyncRat
  • AveMaria/WarzoneRAT
  • BitRAT
  • Formbook
  • LgoogLoader
  • Lokibot
  • NetWire
  • PrivateLoader
  • QuasarRAT
  • RecordBreaker – Raccoon Stealer 2.0
  • Redline
  • Remcos
  • Rhadamanthys
  • SnakeKeylogger
  • Vidar
  • XWorm

Technical Analysis

DotRunpeX often follows the initial infection via distinct .NET loaders in phishing emails or disguised utility sites. It exploits Google Ads and targets rivals with trojanized malware builder tools.

Phishing email & Google Ads exploit

The users who are already searching for the following popular software were redirected by this injector to fake cloned and malicious websites mimicking this software by exploiting Google Ads:

  • AnyDesk
  • LastPass

Beyond usual infection routes, a unique DotRunpeX case emerged; a DotRunpeX user targeted both regular victims and potential adversaries using a trojanized Redline builder (Redline_20_2_crack.rar) with hidden DotRunpeX as ‘extra’.

Apart from this, a customized version of the KoiVM virtualizer protects the new version of DotRunpeX, and it’s highly configurable.

While the most notable similarity between the new and old ones is their 64-bit executable files, they inject various types of malware families.

DotRunpeX evades the AV solutions using “procexp.sys” to close the protected process handles. It also effectively kills all the active Anti-Malware services.

With ongoing evolution, the DotRunpeX injector is gaining features steadily, attracting increasing attention from security analysts and threat actors.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

WinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has...

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

New Malware Abuses Microsoft Graph API to Communicate via Outlook

A newly discovered malware, named FINALDRAFT, has been identified leveraging Microsoft Outlook as a...

Winnti Hackers Attacking Japanese Organisations with New Malware

The China-based Advanced Persistent Threat (APT) group known as the Winnti Group, also referred...

Threat Actors Exploiting DeepSeek’s Popularity to Deploy Malware

The meteoric rise of DeepSeek, a Chinese AI startup, has not only disrupted the...