Formbook campaign with what looks like a few changes. Recently the criminals distributing this malware have been using .exe files inside various forms of an archive, including .iso, .ace, .rar. , zip.
Frequently they use various Microsoft Office Equation Editor exploits to contact a remote site & download the payload. Very occasionally I have seen Macros used.
Today, they are still using CVE-2017-11882 Equation Editor Exploit in malformed RTF word docs to deliver the malware. But the method has slightly changed with a massive 2mb word doc that when opened only displays a couple of words and a small empty box.
Capabilities – Formbook
FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include:
- Key logging
- Clipboard monitoring
- Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
- Grabbing passwords from browsers and email clients
- Screenshots
FormBook can receive the following remote commands from the CnC server
- Update bot on host system
- Download and execute file
- Remove bot from host system
- Launch a command via ShellExecute
- Clear browser cookies
- Reboot system
- Shutdown system
- Collect passwords and create a screenshot
- Download and unpack ZIP archive
Behavior of this Campaign
It has various behaviors like, persistence, Process Injection, Packer, Function Hooks, Startup, Beaconing. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
1.) Formbook was detected
2.) Loads dropped or rewritten executable
3.) Stealing of credential data
4.) Changes the autorun value in the registry
5.) Actions looks like stealing of personal data
6.) Application was dropped or rewritten from another process
7.) Connects to CnC server
8.) Equation Editor starts application (CVE-2017-11882)
9.) Executable content was dropped or overwritten
10.) Starts application with an unusual extension
11.) Application launched itself
12.) Reads the machine GUID from the registry
Indicators of Compromise
Main object- "Payment.doc"
0d62d21657b4b9457ea2a8fe53eba2e443eeda014f012dd555971d0128f48c73
7b19505810e5f4091492718313fa0a434338601f
dd6ce4eba8b91a31ac0f2ef7ad5d0c1b
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\A.R
Hash 7ee6e33e212e08a910b92140ec61a4a746f9ca37d9aaa66f54f485c5cd52653c
sha256 C:\Users\admin\AppData\Local\Temp\sqlite3.dll Hash 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Related Read
Targetted Malware Campaigns to Steal Cookies and Passwords – FormBook
Hackers Distributing Variety of New Exploits and Malware via Microsoft Office Document Exploit Kit
