New .NET AOT malware uses scoring system to evade detection

Researchers at Howler Cell have discovered a new multi-layered malware campaign utilizing .NET Ahead-of-Time (AOT) compilation to evade security tools. This advanced technique strips away metadata, making the malware difficult for standard security solutions to analyze, with further coverage provided by HackRead.

The campaign typically begins with a phishing email containing a malicious ZIP file. Upon opening, a file named KeyAuth.exe acts as a downloader for bound_build.exe, the primary orchestrator. This executable decrypts and launches two further threats: Crypted_build.exe, which deploys the Rhadamanthys infostealer, and Miner.exe, a loader for the XMRig cryptocurrency miner disguised as MicrosoftEdgeUpdater.

A key feature of this malware is its sophisticated scoring system designed to distinguish between real targets and analysis environments. It evaluates factors such as RAM (over 8GB), system uptime, the number of files in the Documents folder (over 10), and the presence of antivirus processes like WinDefend or Kaspersky. If the calculated score falls below 5, the malware self-terminates to avoid detection.

Source: HackRead