FormBook - a data stealer that is being distributed as a MaaS

Initial Infection and Behavior

Firstly, the virus established connection to the CnC server. After this, a malicious executable file, in this analysis's case pretending to be a .png, is being dropped or overwritten and executed.

Then, FormBook proceeds to steal personal data and change the autorun value in the registry. Also, the virus loads DLL from Mozilla Firefox, creates files in the user directory, and starts CMD.EXE to set up persistence and later begin process injection. Finally, the injected Firefox.exe is executed for logging keystrokes, stealing clipboard data, and extracting authentication information from browser HTTP sessions.

Distribution Vectors

According to FormBook analysis, malware is usually distributed via email campaigns that utilize a wide array of infecting mechanisms and can contain a number of various file attachments. Among the most commonly observed attachments are:

• PDF
• DOC or EXE
• ZIP, RAR, ACE, and ISO files

Campaigns in which the virus is distributed through files with PDF extensions are known to utilize shipping-related themes and usually include a download link that points at the malicious code instead of the actual virus.

DOC and EXE campaigns utilize macros to install and run the virus. Often, the virus is retrieved as a .PDF file in such a case.

Archive campaigns are considered to be the most common attack vector for this virus and usually revolve around a business-related theme, such as a payment order. In the case of this attack vector, attachments either contain a link to the FormBook stealer EXE file or install and run the virus on victims' PCs directly.

After downloading the malicious file, the only thing needed to start the contamination is for the file to be opened.

Exploitation of CVE-2017-11882

In cases where Microsoft Office files (.doc, .xls, .rtf) are used as an infection source, once opened, the malware exploits the CVE-2017-11882 vulnerability. Microsoft Office Equation Editor then proceeds to download a malicious executable file and run it.

Installation Path Based on Privileges

After infecting the victim's PC, the virus copies and renames itself into a directory that differs based on the privileges of the user:

• Admin account: installs itself in %ProgramFiles% or %CommonProgramFiles%
• Non-admin account: installs in %TEMP% or %APPDATA%

FormBook also changes the autorun value in the registry depending on whether it was running with normal or elevated privileges.

Anti-Analysis and Evasion Techniques

Next, the malware copies itself into a directory and checks if it's being run on a virtual machine or analyzed, evaluating the best anti-evasion option for the situation. It evaluates the USERNAME environment variable to detect simulation and checks for the presence of debuggers.

Notably, FormBook uses particularly clever techniques during analysis. For example, all shared strings—such as command server names—are decoded only briefly when absolutely required, making the malware highly elusive.

Process Injection Strategy

The virus uses the same injection method into an active explorer.exe process, employed as a non-permanent staging ground. Occasionally, the virus performs injections into web browser processes and explorer.exe.

After injecting into a process, the virus:

1. Chooses a random application from a static list
2. Runs it in suspended mode
3. Copies itself into the address space of the suspended process
4. Exits the original process—leaving dead code in explorer.exe

From this stage, new FormBook processes can inject targeted applications like web browser processes—in this case, Firefox.

API Hooking and Persistence

Depending on the targeted process, the virus can establish various function hooks. Being run from inside the context of a generated process, FormBook examines all active processes, looking for targets. Once found, it injects itself and installs a specific set of API hooks based on the program.

Data Exfiltration

The stolen data is saved in files within the %APPDATA% directory until it is transmitted to the C&C server.

Note: Pay attention to function hooks and registry changes to help detect the presence of this malware.