Formbook infostealer

Original Issue Date:- February 10, 2023
Virus Type:- infostealer
Severity:- Medium

It has been reported that a new malware named "Formbook" is currently targeting users with its malicious activity, enabling attackers to infiltrate compromised systems, engage in suspicious activities, and extract sensitive information.

This nefarious activity is achieved through the downloading of malicious attachments from emails, with malicious spam being frequently disseminated via macro-enabled Office documents.

Infection Mechanism:

Formbook, in addition to its keylogging, screenshot theft, and credential theft capabilities, can also be used to stage additional malware, making it a versatile info-stealer malware.

A cluster of virtualized .NET malware loaders, known as MalVirt, has been detected in malvertising attacks. These loaders employ obfuscated virtualization techniques to prevent analysis and evasion and utilize the Windows Process Explorer driver to terminate processes.

MalVirt loaders are currently delivering malware from the Formbook. To conceal genuine C2 traffic and elude network monitoring, the malware communicates with various random decoy C2 servers hosted on different platforms, such as Azure, Tucows, and Namecheap.

Noteworthy is the fact that the loaders employ digital signatures that seemingly carry the imprimatur of authenticity, given their utilization of signatures and countersignatures from well-regarded companies like Microsoft, DigiCert, Sectigo etc. Yet, by thorough examination, it becomes evident that these signatures lack validity.

Fig: A digital signature of a MalVirt sample (Source: SentinelLabs)


As a result of Microsoft's default blocking of Office macros in documents from the Internet, threat actors have begun employing alternative methods for distributing malware, including malvertising, Windows Shortcuts (LNK files), and ISO files. Consequently, there has been a notable increase in such attacks.

Indicator of Compromise:

SHA1:

  • 15DB79699DCEF4EB5D731108AAD6F97B2DC0EC9C : MalVirt loader sample
  • 655D0B6F6570B5E07834AA2DD8211845B4B59200 : 0onfirm .NET assembly

Domains:

  • www.togsfortoads[.]com
  • www.popimart[.]xyz



For more detailed list of IoC, kindly refer the below URL:

Removal tools:

CSK Free Bot Removal Tool (FBRT) utility may be used to detect and remove specific malware/viruses from your affected Windows digital devices.


Countermeasures:

  • Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only. Users must be aware while clicking on links during web search
  • Update software and operating systems with the latest patches. Outdated applications and operating systems are the targets of most attacks.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  • Install ad blockers to combat exploit kits such as Fallout that are distributed via malicious advertising.
  • Prohibit external FTP connections and blacklist downloads of known offensive security tools.
  • All operating systems and applications should be kept updated on a regular basis. Virtual patching can be considered for protecting legacy systems and networks. This measure hinders cybercriminals from gaining easy access to any system through vulnerabilities in outdated applications and software. Avoid applying updates / patches available in any unofficial channel.
  • Restrict execution of Power shell /WSCRIPT in an enterprise environment. Ensure installation and use of the latest version of PowerShell, with enhanced logging enabled. Script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
  • Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.
  • Users are advised to disable their RDP if not in use, if required, it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Consider encrypting the confidential data as the ransomware generally targets common file types.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

References: