By: Shaul Vilkomir-Preisman
FormBook is an info-stealer which first appeared on the scene as early as 2016. This malware has been marketed in underground hacking forums as having elaborate evasion capabilities and a powerful credential harvesting mechanism at a relatively low price. Since its creation FormBook has been widely used in malicious spam campaigns to infect victims and steal their credentials in multiple attack waves.
In the last days FormBook has been reported as having an uptick in its activity. As part of the recent wave of attacks, Deep Instinct prevented Formbook attacks targeting customers in the retail and hospitality sectors in North-America. However, threat intelligence suggests the campaign is not limited to that geography.
Analysis of a recent sample from this attack led to the discovery of a new malware-friendly file hosting service, used by threat actors as a point of distribution for their malware, something which is naturally frowned upon by legitimate file hosting/sharing providers. These types of services vary widely in their quality and their ability to remain active over long periods of time and be used repeatedly by multiple threat actors. Therefore, we’re happy to shed light on what we believe to be a new malware hosting service that could be used in other campaigns as well.
As with many information stealing and credential harvesting malware, FormBook’s infection chain starts with a phishing Email containing a malicious attachment, which is usually an Office document or a PDF file.
In this specific attack wave, initial infection is carried out by means of a malicious RTF document, which exploits several vulnerabilities in Microsoft Office (CVE-2012-0158 – Office ActiveX Vulnerability, CVE-2017-11882 – the popular Equation Editor Vulnerability).
Once a victim opens the malicious RTF, and the exploit chain is carried out, Office’s equation editor (EQNEDT32.exe) will contact a bit.ly short URL (most likely used for URL filtering evasion purposes) and obtain a redirection to the actual malware payload to be dropped onto the victim machine in the user’s root directory \%USERPROFILE%\3.exe
Once this payload is dropped and executed by EQNEDT32.exe, it will copy itself to \%APPDATA%\Roaming\<5-letter-string>\tysogn.exe and write an auto-run entry in the registry at HK_CU\Software\Microsoft\Windows\CurrentVersion\Run\ thereby achieving persistence and boot-survival on the infected machine.
FormBook will then proceed in its main task – steal as much information as possible with a focus on access to accounts, user names and passwords. It will scan the system for stored passwords in browsers and various other applications such as Email and FTP applications that may be installed on the machine. FormBook will send the stolen information back to its C2 server. It will also take a screenshot of the victim’s desktop and upload those to its C2, along with monitoring all browsers for user-typed passwords which it will grab as well. It will also act as a keylogger and maintain a log of the user’s keystrokes.
DropMyBin – A new Malware-Friendly Hosting Service
During the analysis of this attack, the domain from which the malicious payload was dropped (files.dropmybin[.]me) immediately caught our eye, and sent us crawling through known cybercrime forums where we found the following post, which was active only several days ago:
This discovery led us to investigate the mentioned domain and service, and while the “advertised service” website’s domain is dropmyb[.]in and not dropmybin[.]me, uploading a file dropmyb[.]in clearly reveals the connection when the uploader is provided with a link to his file on files.dropmybin[.]me.Both dropmyb[.]in and dropmybin[.]me have been registered on Jan. 17th and Jan. 19th respectively, and both employ Cloudflare, a reverse-proxy provider whose services are quite popular with various threat actors, to hide their real IP addresses from the world. Both have been documented recently by various threat trackers as being sources of malware infection.
A particular point of interest arises when one examines DropMyBin’s FAQ page, which seems to hint that this “File sharing” service is operated by individuals based in Russia, and while the page declares no malware should be uploaded it clearly states that all abuse claims should be made to “appropriate law enforcement agency” as the operators are not qualified or trained to investigate and fight crimes. Seems like an invitation to upload and direct traffic to whatever one likes to…
Our analysis indicated that various other families of spyware active these days, such as Lokibot and Azorult, have already, in a matter of days, been hosted on the service. Relevant indicators of compromise can be found in the “Additional IOCs” section.
FormBook, with its extensive collection and harvesting capabilities, is back in the game. This time around, it’s using a new malware-friendly file hosting services, which seems to be quickly gaining popularity among other threat actors. We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available. Additionally, some of the droppers and payloads are not detected by a big number of security solutions out there, hence we’ve provided a list of all IOC’s currently available to us.
All discovered droppers and payloads are prevented by Deep Instinct’s advanced Deep Learning based solution.
Malware Hosting Service:
FormBook C2 infrastructure