MalVirt / KoiVM Downloader Variant

MalBot · February 9, 2023, 6:15pm

By: Jason Reaves

Recently, SentinelOne released a report on a loader they named MalVirt[1] which was also previously called KoiVM[2]. In both these reports, the loader was alluded to being a dropper and having encoded payloads on board. I was researching an interesting .NET loader which was being misclassified as the various things it was delivering. Even the Emerging Threats suricata rule created for it was named based on a delivery. Some communities mention it as being ATLoader, LuminosityLink, AgentTesla, RedLine, and FormBook which were all various payloads the loader was delivering. It’s an important distinction, but the functionality doesn’t imply two different versions. It could just be an option that is available.

The obfuscated strings and virtualization for the samples is very similar to the SentinelOne report but instead of dropping malware these versions download the payloads.

Base64 encoded data:

+gETkRUL
6ujhIim
K7XKgU
SCuuh5w
hl6p8O
lSdDE
85sE=
/ZLKYixM+7HlZIRp274d/g==
PAiOzHsKY8UX5aopf5y5Cg==
ps63alRimYLTJEqq+9Jl+A==
VW2hnWtOwomaqoaDDFvliA==
A/LFotqVT1oEi7cdF4+r1A==
/SEem1Gq5/zFx/wT8hSedQ==
NYWpcTQeeL5TIs/dsIdnKQ==
GLBlLJBgBgyo/x82HKDIfA==

Strings are encoded the same as they are in the SentinelOne report with a noticeable addition:

>>> key = base64.b64decode('+gETkRUL6ujhIimK7XKgUSCuuh5whl6p8OlSdDE85sE=')
>>> t = ['/ZLKYixM+7HlZIRp274d/g==', 'PAiOzHsKY8UX5aopf5y5Cg==', 'ps63alRimYLTJEqq+9Jl+A==', 'VW2hnWtOwomaqoaDDFvliA==', 'A/LFotqVT1oEi7cdF4+r1A==', '/SEem1Gq5/zFx/wT8hSedQ==', 'NYWpcTQeeL5TIs/dsIdnKQ==', 'GLBlLJBgBgyo/x82HKDIfA==']
>>> for i in range(len(t)):
...   temp = base64.b64decode(t[i])
...   aes = AES.new(key)
...   aes.decrypt(temp)
... 
'amsi.dll\x08\x08\x08\x08\x08\x08\x08\x08'
'AmsiScanBuffer\x02\x02'
'185.17.0.79\x05\x05\x05\x05\x05'
'Invoke\n\n\n\n\n\n\n\n\n\n'
'EntryPoint\x06\x06\x06\x06\x06\x06'
'Load\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
'Assembly\x08\x08\x08\x08\x08\x08\x08\x08'
'GetType\t\t\t\t\t\t\t\t\t'

Other versions only have partially encrypted strings(36ce3b9ec0b50fcc219b1f1272363b8d3542b4afc3229e0251f58d9b27fb74e1):

$$$am$si$.dll$$$
$$$Am$siS$can$Buffer$$$
$$$185.17$.0.79$$$
$$$6666$$$
$$$get_$$$
$GUID$
Wydad
$$$Load$$$
$$$get_EntryPoint$$$
$$$Invoke$$$

The strings that are encrypted are also decrypted in the same manner as the other sample:

t = ['l/8uvyu16bM2iDr7EesNSw==', 'JoQsQ+OPKuNXKJSc0x3/8A==', 'BaN5NLHCsZPrlz+lB5DVxA==', 'uZoEajZuQ2xga50kC8feWg==', 'p9qgKnBKKxA1nup55W0Nng==', '2QHSnnb36Avjf7+jBcu5TQ==', 'cZKQWFK3NQUq5E+hq12LLw==', 'x+Jx1EJE4s3d38HNDTHbCw==', '']
key = base64.b64decode('19rzeoCF9nCeFxhG8zD0huZxe1NmOGGaQHlUWd82FyA=')
>>> from Crypto.Cipher import AES
>>> for i in range(len(t)):
...   temp = base64.b64decode(t[i])
...   aes = AES.new(key)
...   aes.decrypt(temp)
...
'amsi.dll\x08\x08\x08\x08\x08\x08\x08\x08'
'AmsiScanBuffer\x02\x02'
'185.17.0.79\x05\x05\x05\x05\x05'
'6666\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
'get_\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
'Load\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
'get_EntryPoint\x02\x02'
'Invoke\n\n\n\n\n\n\n\n\n\n'

Many of the more recent samples had the same private implementation code artifacts:

mamaGapo.Program+<Main>d__3
mamaGapo.Program+<>c__DisplayClass3_0+<<Main>b__0>d
mamaGapo.Program+<>c__DisplayClass3_0+<<Main>b__1>d
mamaGapo.Program+<>c__DisplayClass3_0+<<Main>b__2>d
mamaGapo.Program+<>c__DisplayClass3_0+<<Main>b__3>d
mamaGapo.Program+<>c__DisplayClass3_0+<<Main>b__4>d
mamaGapo.Program+<>c__DisplayClass3_0+<<Main>b__5>d

Network

The loader simply connects to a hardcoded server over a hardcoded port and sends get_[0–9a-f]{32} to get an encoded payload, the hexlified string is also hardcoded in the sample.

This traffic is tagged by a rule in the ET open ruleset:

 ET MALWARE Luminosity Link Variant Payload Retrieval Request

Campaigns

This loader has been used in a variety of campaigns.

Equation Editor XLS spam:

fe8caae955cb4d57b0bd60f54e8f2add6ed8639c53cf558b535ce5164ba6df47
- Downloads: hxxp://103.232.55.]40/OneDrive/vbc.exe
- Downloaded: 4f83f512204dd7380d39b65d458ae6ad9a720ec93a46b422a074372de1620b38

ISO delivery:

5d8c1758ff1d393e56fbe114c5e87f5720085455902592c09dc401762d5df01d

OneNote delivery:

51265a133d2c3d12f314562663feeb93f30c378b28b60821180b211e0f93fc06

References

1: https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/

2: https://labs.k7computing.com/index.php/koivm-loader-resurfaces-with-a-bang/

MalVirt / KoiVM Downloader Variant was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: MalVirt / KoiVM Downloader Variant | by Jason Reaves | Walmart Global Tech Blog | Feb, 2023 | Medium