New FormBook Dropper Harbors Obfuscation, Persistence

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Researchers are warning that a future data-theft attack may be brewing after discovering a new sample of the FormBook malware, with a never-before-seen dropper — i.e. a malicious file that is used in the initial infection stage and installs malware on the system.

FormBook, a browser form-stealer and keylogger, has been under active development since it popped up on hacking forums in 2016.

Just recently, researchers discovered the malware harboring the new dropper, that they said has capabilities to better achieve persistence on systems and obfuscation to avoid detection, according to Wednesday Cyberbit research exclusively shared with Threatpost.

“As these droppers evolve and constantly change, they can easily bypass anti-malware products and therefore make data theft much easier for the attackers,” Hod Gavriel with Cyberbit told Threatpost. “I see it as an evolving threat – [FormBook] keeps unveiling new tricks to avoid detection and I think new, even more sophisticated droppers will be created for it.”
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
For FormBook malware, the initial infection process is typically an email campaign containing a malicious PDF, DOC or XLS attachment. After the victim clicks on the attachment, FormBook’s dropper typically immediately loads the malware.

However, unlike in other samples, the new dropper doesn’t merely unpack the malware, but instead installs a file that creates two post-infection processes. Those two processes are: A Microsoft HTML Application Host (mshta.exe) and a dropper (Rhododendrons8.exe). This suggests that the malware authors are looking to achieve further persistence and obfuscation on systems, according to researchers. Mshta.exe is used for executing HTML application files and running Visual Basic Scripts. The purpose of this script is extra persistence: It adds an obfuscated copy of the malware to the registry autorun key on the system – so it will execute as soon as Windows starts.Mshta.exe also uses simple obfuscation in its script: For instance: “Instead of writing ‘CreateObject’, ‘CrXXteObject’ is written and ‘XX’ is later replaced with ‘ea’. This is done to prevent signature-based tools from detecting this method being in this script,” researchers said.

The second process is another dropper (Rhododendrons8.exe), which unpacks the Formbook payload. That payload is encrypted within the code section of Rhododendrons8.exe and is decrypted using two algorithms. The first algorithm is proprietary, the second is RC4 (a symmetric stream cipher) with a 256-bytes key. Researchers said that these two processes unpacking the malware “is the first and currently only sample of FormBook data stealing malware we observed that achieves persistence via this method.” After it is unpacked, “the final, non-encrypted and non-obfuscated payload of FormBook data-stealing malware never resides on the disk, only in the memory, and therefore makes detection much more difficult,” researchers said.
Great share @silversurfer (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top