Currently, DotRunpeX malware appears to be primarily distributed through phishing emails and malicious Google Ads, presenting a significant threat to users’ systems.
A new malware that distributes multiple known malware families, including Agent Tesla, FormBook, Ave Maria, NetWire, LokiBot, Raccoon Stealer, Remcos, RedLine Stealer, Vidar, and Rhadamanthys, has been discovered by Checkpoint researchers.
Dubbed DotRunpeX, the malware is a new injector written in .NET, created using the Process Hollowing technique, and used to infect systems with different malware families.
The researchers noted that DotRunpeX is being actively developed. Its infection chain invades the system as a second-stage malware, usually deployed via a downloader or loader delivered via malicious attachments in phishing emails.
Additionally, it can leverage malicious Google Ads that appear in search results to direct unsuspecting users when they search for commonly used software such as LastPass and AnyDesk and send them to copycat sites delivering trojanized installers.