top of page

New DotRunpeX Malware Injector Used to Distribute Agent Tesla, Ave Maria, BitRAT, and More

The malware community is always coming up with new ways to infect our systems with malicious software. The latest is a piece of malware called dotRunpeX. This malware uses the Process Hollowing technique to inject known malware families such as Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar into our systems. DotRunpeX is often deployed via phishing emails that contain malicious attachments. These attachments are usually downloaders (aka loaders) that install the DotRunpeX malware onto our systems. Alternatively, the DotRunpeX malware has been known to leverage malicious Google Ads on search result pages to direct unsuspecting users to copycat sites that host trojanized installers. The latest DotRunpeX artifacts, first spotted in October 2022, add an extra obfuscation layer by using the KoiVM virtualizing protector. This makes it even more difficult to detect and remove the DotRunpeX malware. Check Point's analysis has revealed that "each dotRunpeX sample has an embedded payload of a certain malware family to be injected," with the injector specifying a list of anti-malware processes to be terminated. This means that the DotRunpeX malware is specifically designed to target anti-malware software. If you think you may have been infected with the DotRunpeX malware, you should run a full scan of your system with a trusted anti-malware program. You should also be extra vigilant about opening attachments from unknown senders and be cautious of clicking on links in search results.


bottom of page