Tuesday, February 27, 2024

Targetted Malware Campaigns to Steal Cookies and Passwords – FormBook

Security researchers from Arbornetworks and FireEye identified a Sophisticated Malware(FormBook malware) campaigns targetting Aerospace, Defense Contractor, and Manufacturing sectors around U.S. and South Korea

The Malware is highly Sophisticated and injects itself in various process memory and can record keystrokes, Clipboard Contents and HTTP Sessions. Also, it responds to commands from C&C like System reboot, download and installs applications.

Also Read Can Instagram Be Hacked Or A Hoax?

FormBook malware distributed through variety of Email campaigns

  • PDFs with download links.
  • DOC and XLS files with malicious macros
  • Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.
The Malware uses a technique called Lagos Island method which calls ntdll.dll(Windows native API) module from disk into memory and calls its exported functions directly. It also capable of Changing file path, extensions, registry key and much more.

FormBook Injection Process

It finds Explorer.exe by using Checksum and injects in explorer.exe trough API calls, once injected it selects any one of the Windows processes and launch it.

svchost.exe, msiexec.exe, wuauclt.exe, lsass.exe, wlanext.exe, msg.exe, lsm.exe, dwm.exe, help.exe, chkdsk.exe, cmmon32.exe, nbtstat.exe, spoolsv.exe, rdpclip.exe, control.exe, taskhost.exe, rundll32.exe, systray.exe, audiodg.exe, wininit.exe, services.exe, autochk.exe, autoconv.exe, autofmt.exe, cmstp.exe, colorcpl.exe, cscript.exe, explorer.exe, WWAHost.exe, ipconfig.exe, msdt.exe, mstsc.exe, NAPSTAT.EXE, netsh.exe, NETSTAT.EXE, raserver.exe, wscript.exe, wuapp.exe, cmd.exe

It has certain browser and clipboard monitoring hooks and if they find strings with following contents they will extract it.

  • pass
  • token
  • email
  • login
  • sign in
  • account
  • persistent

According to FireEye analytics with URL shortener tny.im-shortened links there were around 716 hits across 36 Countries.

It was advertised previously in various hacking forums and it costs between $29 to $299 based on the package.

Common Defence’s to stay safe

  • Don’t open the attachments that you are not expecting.
  • Patch or Update your software.
  • Use a reputable security suite.

Latest articles

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...

Scattered Spider: Advanced Techniques for Launching High-Profile Attacks

Scattered Spider is a threat group responsible for attacking several organizations since May 2022...

8220 Hacker Group Attacking Linux & Windows Users to Mine Crypto

In a significant escalation of cyber threats, the 8220 Gang, a notorious Chinese-based hacker group, has intensified its attacks...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles