Introduction Formbook has been around for years. According to FireEye, Formbook has been "..advertised in various hacking forums since early 2016." My previous diary about Formbook was back in November 2019, and not much has changed since then. It still bears documentation, though, if only to show this malware is still active and remains part of our threat landscape. Today's diary covers a Formbook infection from Thursday, June 9th 2020.
The lure The lure for this particular infection was a malicious Excel spreadsheet. Searching through VirusTotal, I found a malware sample that I tested in my lab. The submission name was /tmp/eml_attach_for_scan/2433e76542036ab53b138a98eeda548a.file, so I don't know what the original file name was.
Initial infection The initial infection happened immediately after I enabled macros, when my lab host retireved a Windows executable (EXE) for Formbook from hxxp://sagc[.]be/svc.exe and executed the file. See the images below for details.
Data exfiltration Post-infection traffic was sent to several different domains using URL patterns shown in the next image.
Data stolen by Formbook included a screenshot of my infected lab host, along with keystroke logs, application passwords, sensitive data from the browser chache, and information contained in the clipboard. This data is temporarily stored in a randomly-named folder under the infected user's AppData\Roaming directory. These artifacts are deleted after the data is exfiltrated through Formbook command and control (C2) traffic.
Indicators of Compromise (IoCs) SHA256 hash: 148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
SHA256 hash: 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef
Traffic from an infected Windows host: Excel macro retrieves Formbook EXE:
Formbook post-infection traffic:
Unresolved DNS queries from the infected Windows host caused by Formbook:
Final words Formbook infections work nearly the same as they did when I wrote my first diary about Formbook in October 2017. I'm surprised that I still occasionally run across a sample during my day-to-day research. An up-to-date Windows 10 with default security settings should prevent these sorts of infection from happening. I guess it's still somehow profitable for criminals behind Formbook to continue developing this malware. Apparently, there's no shortage of vulnerable Windows hosts for potential targets. A pcap of the infection traffic and malware samples for today's diary can be found here. --- |
Brad 394 Posts ISC Handler Jul 10th 2020 |
Thread locked Subscribe |
Jul 10th 2020 7 months ago |
Is it "purged"?
python3 oledump.py 1: 478 'PROJECT' 2: 65 'PROJECTwm' 3: m 170 'VBA/Sheet 1' 4: M 2359 'VBA/ThisWorkbook' 5: 7 'VBA/_VBA_PROJECT' 6: 216 'VBA/dir' |
Anonymous |
Quote |
Jul 10th 2020 7 months ago |
DidierStevens 533 Posts ISC Handler |
|
Quote |
Jul 12th 2020 7 months ago |
Sign Up for Free or Log In to start participating in the conversation!