The FormBook malware that was recently detected by a V3 software had been downloaded to the system and executed while the user was using a web browser. FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. FormBook operates by injecting into a running process memory, and the targets of injection are explorer.exe and arbitrary normal files in the %WinDir%\System32 folder. In order to reach FormBook, which is responsible for the actual information-leaking behaviors, preceding processes may be performed, including packing, obfuscation, and execution by a downloader.
The first file was distributed as a .NET. The malware connects to an external pastebin web service address where raw binary data can be uploaded to read the data and recreate them in PE binary, before loading it to the memory. The loaded PE is a .NET DLL obfuscated with multiple condition branches. Through this DLL, the file duplicates itself and runs recursion. Afterwards, it executes AddinProcess32.exe as a child process into which it injects the PE. The injected PE is FormBook.
Loading data by connecting to an external web address
Executing PE binary in the memory
Obfuscated .NET DLLFormBook manually loads ntdll.dll onto the memory and calls this to bypass API monitoring. After performing the analysis bypassing technique as well as anti-debugging, it injects a code for C&C communication into a running explorer.exe process for C&C communication and executes it as a thread. An arbitrary normal file in the %WinDir%\System32 folder is executed as a subprocess of explorer.exe and the information to be leaked is collected. Please refer to the ASEC report and ATIP report for further details on the technique.[1][2]
Manually loading ntdll.dll onto the memory
Process list upon executing FormBookAhnLab’s ani-malware software, V3, detects and responds to the FormBook malware with a variety of detection points, including file detection and behavior-based detection. Because this malware is being distributed to random individuals, users must refrain from opening attachments in emails from unknown sources, and when downloading files from the websites, check to see if the source is trustworthy. Also, V3 should be updated to the latest version to prevent malware infection firsthand.
[File Detection]
– Downloader/Win.Agent.R528975
[Behavior Detection]
– Injection/MDP.Hollowing.M4180
– Malware/MDP.Injection.M3509
[IOC]
– 45ab0352a69644eb2305982585fa53f8
– hxxp://paste.ee/8ioDo/0
– hxxp://www.gastries.info/keb5
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post <strong>FormBook Malware Being Distributed as .NET</strong> appeared first on ASEC BLOG.
Article Link: FormBook Malware Being Distributed as .NET - ASEC BLOG