![]() ![]() The script decrypts the FormBook payload file, loads it into memory, and then executes it. The AutoIt loader compiles and runs an AutoIt script. The malware is a self-extracting RAR file that starts an AutoIt loader. Our analysis in this blog post is based on the following representative sample: Each server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate model. The server infrastructure is hosted on BlazingFast.io, a Ukrainian hosting provider. The C2 domains used for this recently observed FormBook activity have been registered using the WhoisGuard privacy protection service. The C2 domains typically leverage less widespread, newer generic top-level domains (gTLDs) such as. Collect passwords and create a screenshot.Grabbing passwords from browsers and email clientsįormBook can receive the following remote commands from the C2 server:.Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests.It does not currently have any extensions or plug-ins. CapabilitiesįormBook is a data stealer, but not a full-fledged banker (banking malware). The malware author does not sell the builder, but only sells the panel, and then generates the executable files as a service. It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence. The malware author calls this technique "Lagos Island method" (allegedly originating from a userland rootkit with this name). ![]() One of the malware's most interesting features is that it reads Windows’ ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords. The malware can also execute commands from a command and control (C2) server. The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. Figure 1: FormBook advertisement Figure 2: FormBook underground pricing Figure 1 and Figure 2 show the online advertisement for the malware. FormBook OverviewįormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016. ![]() The PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely impacted the Unites States and South Korea.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |