Threat actors have been leveraging the new dotRunpeX malware injector to facilitate the deployment of several malware families, The Hacker News reports.
RedLine, Raccoon, Vidar, Agent Tesla, and FormBook were the most commonly distributed malware families by the .NET-based dotRunpeX injector, which has also been used to deliver LokiBot, PrivateLoader, AsyncRAT, BitRAT, and NetWire malware, according to a Check Point report.
The injector has also been associated with Russian-speaking threat actors due to the language used in its code.
Malicious Google Ads redirecting to trojanized installers for legitimate software like LastPass and AnyDesk, and phishing emails have been used to distribute the injector, the report showed.
Researchers noted that the most recent dotRunpeX injectors had leveraged the KoiVM virtualizing protector for improved obfuscation.
"Each dotRunpeX sample has an embedded payload of a certain malware family to be injected," said researchers, who added that the injector also exploits the vulnerable procexp.sys process explorer driver to achieve kernel mode execution.
While 427,000 Fortinet devices running on FortiOS, FortiProxy, FortiSwitchManager, and FortiPAM iterations impacted by the critical CVE-2024-23113 flaw, another 62,000 FortiManager instances remain susceptible to attacks leveraging the CVE-2024-47575 bug, also known as FortiJump.
Initial access to the targeted SharePoint server through the flaw was leveraged to breach a Microsoft Exchange service account with elevated privileges, deploy the Huorong Antivirus, and install Impacket, resulting in the deactivation of legitimate antivirus systems and lateral movement.
Other Linux-based network devices may have also been targeted by Pygmy Goat, as indicated by its utilization of a fake Fortinet certificate, a pair of remote shells, and several communication wake-up techniques.