Virtualized malware loaders are used by cybercrime threat actors to evade detection and evade analysis, according to SentinelLabs.

It is important to note that this type of tactic has been observed as early as 2009, but it seems that virtualization has increased in frequency over recent years. This also demonstrates the global nature of cybercrime threat actors. In the last 24 hours, there were nearly a dozen .NET-based malware samples detected by SentinelLabs — some of which use virtualization for evasion and others for persistence.

The prevalence of .NET malware on various hosting services underscores its role as a highly stable platform for cybercriminals due to its functionality and relative popularity among cybercrime threat actors. With new features and regular updates to ensure compatibility with patched software, Microsoft’s .NET framework is the ideal platform for cybercriminals to build and deploy their malware, giving them the ability to easily transfer their malicious software across several platforms.

There were three types of .NET malware found within a 24-hour period. All of them use virtualization technologies and have multiple features in common. The three types are:

Metasploit-based payloads that download a malicious binary from the internet, which then uses its own HTTP server for persistence purposes. When executed, the payload requests the file “dwdata.exe” using its own POST request.

Payload-based binaries that receive instructions from a remote server. When executed, they perform the following actions: (1) Copy a fake executable to the system; (2) Create a new process; and (3) Overwrite system information through Windows API calls.

Finally, there are exploit-based binaries. When executed, they utilize Metasploit’s payload service to download and execute malware.

‍

Source: .NET Virtualization Thrives in Malvertising Attacks - AlienVault - Open Threat Exchange