Google Searches Poisoned by DotRunpeX to Deliver Malware Through Google Ads

Google searches are being poisoned by a new piece of malware known as dotRunpeX. Many searching Google are finding that instead of being redirected to their favourite sites, they're being redirected to various different malware families. Attempting to download popular technology-based software as Microsoft Teams and Adobe Photoshop resulted in installer files that were bundled with additional malware.

This is because they have been infected with dotRunpeX. Purportedly still in active development, dotRunpeX arrives most commonly via a phishing email with a malicious attachment. Once on a system, it can be particularly difficult to remove, as it uses a number of tricks to persist in memory, and the latest versions of dotRunpeX appear to use KoiVM virtualization in an attempt to add an extra layer of obfuscation.

After successfully landing on a target machine, dotRunPeX injects ads into Google search results, targeting common software downloads, and essentially replacing legitimate downloads with modified installation bundles. The malware installed from the modified dotRunpeX installation bundles cover a large number of different malware families, including Agent Tesla, Ave Maria, BitRAT, FormBook, LokiBot, NetWire, Raccoon Stealer, RedLine Stealer, Remcos, Rhadamanthys, and Vidar.

Research by Jiri Vinopal of Check Point has further revealed that dotRunPeX is capable of disabling most standard antivirus applications, coming packaged with a list of anti-malware processes to be terminated. This termination is achieved through the procexp.sys driver that's incorporated into dotRunpeX, which allows it to achieve kernal mode execution.

It is believed that dotRunpeX has Russian origin, as the code behind dotRunpeX includes several Russian words and phrases, such as the process name Иисус.sys, which translates to jesus.sys.