How Security Evading Virtualized Malware Abuses Google Ads And Infects PCs
Researchers at SentinelLabs have recently observed a family of malware loaders that make use of KoiVM .NET virtualization, which obfuscates code by replacing it with virtualized code that is understood only by the virtualization framework. When the malware loaders are launched, a virtual machine engine translates the obfuscated code into the original code. Thus, the malicious code is obscured until it is already running, at which point it’s too late for anti-virus software to preemptively detect the presence of malware and warn the user.
This campaign abuses Google Ads to place links to malicious websites at the top of the Google Search results. These websites mimic those of legitimate software, bearing similar domain names and often appearing almost visually identically. However, when users attempt to download the advertised software from these websites, the websites serve up MalVirt loaders instead. In order to avoid accidentally downloading malware from one of these sites, it may be best practice for users to avoid clicking on search results with the “Ad” label altogether.