Formbook's Latest Phishing Campaign and Its Evasion Methods

Summary

Seqrite Lab recently observed a phishing campaign delivering Formbook Stealer via email attachments. Formbook, an information stealer first seen in 2016, has undergone significant evolution, incorporating advanced stealth features and evasion techniques. Sold on hacking forums as Malware as a Service, multiple variants have emerged.

While the evasion techniques remain consistent, the malware now employs multiple layers before delivering the final payload, which is executed solely in memory to evade detection. Similar to other variants, this one utilizes steganography to conceal malicious files within images, decrypting them for in-memory execution.

Technical Detail

1. This variant follows a three-stage process before activating the final payload:

2. Purchase Order.exe/XXXI.exe

3. Arthur.dll

4. Montero.dll

5. MASM (Final Payload)

The attack begins with a spear-phishing email that includes a purchase order and an attachment in the form of a ZIP file. After extracting the archive, it reveals a single PE file, PurchaseOrder.exe, which is a .NET compiled binary.

This variant conceals the stage 2 and stage 3 malware within the resources of PurchaseOrder.exe, using the resource name "Hkyl," as shown in the image below.

It then performs XOR decryption on the encrypted data and executes the stage 2 DLL file, Arthur.dll, by using InvokeMember() to load it into memory. Once loaded into memory, it calls MainForm.Justy() from the stage 2 PE file to retrieve the stage 3 PE file. This function decrypts an image using a key provided as an argument and then extracts the red, green, and blue values from each non-transparent pixel to form an array. When this array is XORed with the value[bao] passed during stage 2, it reveals the stage 3 payload, Montero.dll. This DLL is then loaded into memory using the Assembly.Load method.

Payload

The payload first checks for the presence of the mutex "zpkpGXyWHvBpdzNULuLRtAzq". If the mutex is found, the payload terminates itself. Next, it verifies the Sleep flag; if enabled, it pauses to delay the execution, avoiding detection by sandboxes. Finally, it checks if the message box display flag is enabled. If so, it triggers a message box to deceive the user.

The main function of this payload is to decrypt encrypted content in the resource section using a hardcoded key, "pqDVZxpXC," which reveals the final payload, which contains only one section(.text).

Once decrypted, the payload selects a target process for process hollowing, with values ranging from 0 to 4. If the value is 4, it loads the final payload into memory using the Assembly.Load method and executes its entry point. If the value is 1, the target process for hollowing is MSBuild.exe; if the value is 2, the target process is vbc.exe; and if the value is 3, the target process is RegSvcs.exe. If none of these values is specified, the target process defaults to the parent file.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

1. The initial breach occurs via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.

2. Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.

3. Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

4. Consider limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.

5. Monitor the beacon on the network level to block data exfiltration by malware or TAs.