Formbook campaign with what looks like a few changes. Recently the criminals distributing this malware have been using .exe files inside various forms of an archive, including .iso, .ace, .rar. , zip.
Frequently they use various Microsoft Office Equation Editor exploits to contact a remote site & download the payload. Very occasionally I have seen Macros used.
Today, they are still using CVE-2017-11882 Equation Editor Exploit in malformed RTF word docs to deliver the malware. But the method has slightly changed with a massive 2mb word doc that when opened only displays a couple of words and a small empty box.
Capabilities – Formbook
FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include:
- Key logging
- Clipboard monitoring
- Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests
- Grabbing passwords from browsers and email clients
FormBook can receive the following remote commands from the CnC server
- Update bot on host system
- Download and execute file
- Remove bot from host system
- Launch a command via ShellExecute
- Clear browser cookies
- Reboot system
- Shutdown system
- Collect passwords and create a screenshot
- Download and unpack ZIP archive
Behavior of this Campaign
It has various behaviors like, persistence, Process Injection, Packer, Function Hooks, Startup, Beaconing. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
1.) Formbook was detected
2.) Loads dropped or rewritten executable
3.) Stealing of credential data
4.) Changes the autorun value in the registry
5.) Actions looks like stealing of personal data
6.) Application was dropped or rewritten from another process
7.) Connects to CnC server
8.) Equation Editor starts application (CVE-2017-11882)
9.) Executable content was dropped or overwritten
10.) Starts application with an unusual extension
11.) Application launched itself
12.) Reads the machine GUID from the registry
Indicators of Compromise
Main object- "Payment.doc"
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\sqlite3.dll Hash 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660