Chasing Formbook Malware

The FormBook, a notorious malware recognized for its data-stealing and form-grabbing capabilities, has been active since at least 2016. It is available for purchase on underground forums, operating under the model of “malware-as-a-service,” allowing anyone to subscribe to launch malicious campaigns. Specifically, the malware is presented as a PHP control panel with extensive customization options for settings and features.

The typical distribution method for FormBook involves malspam, where malicious attachments are used to deliver the payload. Once a system is infected, the malware can execute various functions, such as dumping credentials, capturing screenshots, monitoring the clipboard, logging keystrokes, clearing browser cookies, downloading and executing files, rebooting, and shutting down the system.

FormBook has been implicated in numerous significant malicious campaigns since its inception. Examples include the 2017 attack on the US and South Korean aerospace, defense, and manufacturing industries, the 2018 campaign targeting information services and financial sectors in the US and the Middle East, and the 2020 COVID-19 phishing campaign.

Vendor’s Threat Intelligence about Formbook

I used the malwarebazaar website to obtain a sample for my research. I scrolled down the page to examine the vendor analyses of the FormBook malware that I acquired through this site. I observed that many sandboxes have labeled this malware as “malicious.”

After gaining some insights, I decided to delve deeper by opening Maltego CE. Before starting my research, I obtained the hash value of the malware from Malwarebazaar, and in Maltego, I selected the “HASH” entity, entering the hash value into the required field. On the other hand, I would recommend using “Polyswarm” to pivot research.

Transforms

I downloaded transforms in Maltego that would be useful for a threat hunter or SoC personnel. The transforms I used in my study were as follows:

- Virustotal (Hashes, URLs, File Names):

Query the VirusTotal Public API for hashes, IP addresses, domains and more.

- AlienVault ( Discovering Banners of URL)

Query and browse free threat intelligence from over 19 million threat indicators contributed daily.

-DNSDB (DNS discovery)

The Farsight Security DNSDB transforms and expands the power of Maltego by enabling correlation and contextualization with real-time and historical DNS intelligence; also known as passive DNS data. Using the DNSDB transforms, for example, users can expose entire networks, gain an outside-in view of their infrastructure, and pivot across DNS record types including domains, IPs, NX, MX, AAAA, SOA, and many more. Wildcard searches are also available to expose hostnames/FQDNs (left side wildcard), associated domains (right side wildcard) and further pivoting across IPs to expose all associated domains, FQDNs, IPs, MX, NX, and other record types.

- Polyswarm (Pivot for Research):

The PolySwarm integration allows users to pivot and right-click on any file hash, domain, or IP address to gain insights into the malware behind it. Users may pivot on enrichments to discover related intelligence for a given malware campaign. PolySwarm also provides users the option to upload, scan, and sandbox any malware sample on demand. Users can also subscribe to a number of detailed industry/sector-related real-time malware feeds.

-AbuseDB

AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.

AbuseIPDB’s mission is to help make the Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online.

-Host.io

Host.io collects data on every known domain name, from every TLD, and updates it every month. Included in this data are DNS records and website data for each of the domains. To offer the most comprehensive domain name data, Host.io regularly processes terabytes of data and summarizes it to produce accurate results.

Investigation Starting

First thing first, after I inserted the hash value of the malware. I checked for file names via Virustotal transform. As an output, the VT gave me a file name of Malware. From the screenshot below, we can understand the malware file type is “exe”. I believe this is not only the one. In these kinds of cases, there are several files with different names.

However, let’s continue our investigation. I wonder how the adversary delivers this malware and I found it out. As known, nowadays adversaries are using phishing to deliver their malware within ZIP files. As can be seen in the screenshot below, they probably use the same method.

Another interesting thing here is that there are some other filenames related to the same exe. This means there are more with different names. Here is the proof:

Other file names of malware:

• Novopedidodecomprapdf.exe
• Novo pedido de compra pdf.exe
• HzlgWIPTnEVQp.exe
• z52Novopedidodecomprapdf.exe

We are tracking adversaries step by step, our next step will be to find URLs that spread the malware.

Virustotal transform gave us three URLs related to malware.

• https[:]//www[.]ysudveg[.]buzz/ey16/?kHNXw=VL3phnCxf2&hDH8rrPx=pN2hwVKMu1HtrpP7xxg0YiUeG7eR1sWXZ1Ql522UcBkOnumuNJ9pG2B3VgeemxoUwlNj (118.114.96.3 & 118.114.97.3)
• https[:]//www[.]jbfinishing[.]com/ey16/?hDH8rrPx=OMhQXVzdOYCIhTT0BSEMA6phKcoXaKLtXf9SAgrTwWqdcnY/8DJo2joGz5SgJXUP8YoS&kHNXw=VL3phnCxf2 (3.33.130.190)
• http[:]//www[.]zgtiku[.]com/ey16/?kHNXw=VL3phnCxf2&hDH8rrPx=7BFVCJWdeUUziPjRWBscDIgZ8p2IWZY07ONoJqKbHtw7WqycTXLu5X9TBYt4fhq7GN1h (192.229.64.169)

I wondered what are IP addresses behind the exe are and checked again via VirusTotal Transform and I found a bunch of IP addresses.

Several IP Addresses from different countries. However, that doesn’t mean all of them are malicious. You can wonder, how we can understand whether they are malicious or not. In this case, we will use the “abuseIPDB” transform to get their IP scores. To understand the malicious ones, I put the black flag on them.

• 15.197.148.33 ->39
• 3.33.130.190 -> 36
• 118.114.96.0 -> 27
• 20.99.133.109 -> 4

The malicious URLs match both IPs we discovered. However, the domains to which the URLs belong are currently parked. To get more insight I checked banners via Alien Vault.

As the next step, I investigated that malicious IP we found early stage of our investigation. Wondered if there was any domain hosted that IP addresses and checked the results.

Two IP addresses resolved the same domain however one of them gave me a different result. 15.107.148[.]33 and 3.33.130[.]190 gave Top Level Domains as a result, but 188.114.96[.]0 gave us two different countries and one of them is so interesting. “.be” is Belgium however, “.tk” is Tokelau. I guess most of you heard that first time in your life just like me.

Tokelau is a Polynesian island group in the southern Pacific Ocean, fully dependent on New Zealand. Like many small Oceanian countries, it consists of coral islands.

I decided to continue my investigation with this specific IP and Country. I googled Tokelau on the internet to see what kind of island is this and what is the relation with malicious IPs and found some interesting articles/news about the island. According to the news that I found this is not a randomly selected island to host a malicious IP.

The news says that “The small island in Passive has become the global capital of cybercriminals.” But why do cybercriminals choose this island? Here is the answer: Tokelau giving a free “.tk” domain to everyone! Bingo! such a golden egg! Not only the cybercriminals, the APT groups also used these free “.tk” domains as well.

Let’s add these domains to the basket:

• diecieramo[.]tk
• tioreshautipote[.]tk
• goesoryransiono[.]tk
• bhp-bvba[.]be
• rentdastvotrafica[.]tk

One of them shows what kind of purposes this island used:

Geoseryransiono:

Anyway, our target is not dating websites or some fake(or not) spy applications, etc. We are after “formbook”! Let’s continue.

The URL that was found belongs to 172.67.149[.]47 not hosted by any other malicious URLs. I decided to check our second URL “jbfishing”. I see that has IP address 15.197.148[.]33 and checked for any related URLs. It gave me plenty of them however one of them is important for us. The important one gave us another malicious file that belongs “Quasar RAT botnet C2 domain”.

We have another IoC that can be added to our “IoC Basket”. This one is also parked like the previous ones.

IoC’s

We could say we have completed our investigation at this time. To protect our organization, we need to extract all IoCs that were found during the investigation. We will split them into categories.

DNS Names:

• jbfinishing[.]com

Domains:

• alipanba[.]com
• knowledgewap[.]com
• matureroute[.]com
• eroterest[.]net
• xingyaopan[.]com
• diecieramo[.]tk
• goesoryransiono[.]tk
• tioreshautipote[.]tk
• bhp-bvba[.]be
• rentdastvotrafica[.]tk

URLs:

• http[:]//bigpianochina[.]com/
• http[:]//cgg3d.com/list/index29.html
• http[:]//cgg3d.com/list/index56.html
• http[:]//cgg3d.com/top/rank.html
• http[:]//cgg3d.com/view/index27523.html
• http[:]//cgg3d.com/view/index30584.html
• http[:]//cgg3d.com/view/index30824.html
• http[:]//cgg3d.com/view/index31084.html
• http[:]//cgg3d.com/view/index32800.html
• http[:]//cgg3d.com/view/index34559.html
• http[:]//cgg3d.com/view/index35298.html
• http[:]//cgg3d.com/view/index40665.html
• http[:]//cgg3d.com/view/index42276.html
• http[:]//ctt-entregaspt.net
• http[:]//dlvr.it/St9TTQ
• http[:]//exirzehn.com/question/10-failing-answers-to-commondenton-windows-and-doors-questions-do-you-know-theright-answers/
• http[:]//infinicol.com/
• http[:]//ritualbotanico.com.co/
• http[:]//taisunwin.club/bsavxiv/axhqykl/
• http[:]//theprose.com
• http[:]//www.bigcutsmiramar.com/lt12/
• http[:]//www.chachosrestaurant.com/
• http[:]//www.ysudveg.buzz/
• http[:]//www.zgtiku.com/ey16/?kHNXw=VL3phnCxf2&hDH8rrPx=7BFVCJWdeUUziPjRWBscDIgZ8p2IWZY07ONoJqKbHtw7WqycTXLu5X9TBYt4fhq7GN1h
• https[:]//amtech.ir/2021/12/17/%D8%B1%D8%A7%D9%87%D9%86%D9%85%D8%A7%DB%8C-%DA%A9%D8%A7%D9%85%D9%84-%D8%AA%D8%A7%DB%8C%D9%BE-%D8%B3%D8%B1%DB%8C%D8%B9-%D8%AF%D9%87%E2%80%8C%D8%A7%D9%86%DA%AF%D8%B4%D8%AA%DB%8C/
• https[:]//analysislaboratorio.com.br/wpcontent/plugins/elementskit/libs/composer/vendor/build/vendor/src/google/apiclient/src/AuthHandler/AuthHandlerFactory.php
• https[:]//analysislaboratorio.com.br/wpcontent/plugins/elementskit/libs/composer/vendor/build/vendor/src/google/apiclient/src/AuthHandler/Guzzle5AuthHandler.php
• https[:]//analysislaboratorio.com.br/wpcontent/plugins/elementskit/libs/composer/vendor/build/vendor/src/google/apiclient/src/AuthHandler/Guzzle6AuthHandler.php
• https[:]//chainyard360.com
• https[:]//ctt-entregaspt.net
• https[:]//hop.clickbank.net/?affiliate=sgrmx&vendor=kerassent&cbpage=tsl&tid=6jLb9jT4x1EtzyDpws5ScP
• https[:]//kerassentials.com/text.php?hop=code2675&flux_sess=fc82a8105291b18abce1967818508f43
• https[:]//socialfy.app
• https[:]//traderstruthrevealed.com/D=L:
• https[:]//www.akitmedia.com/privacypolicy
• https[:]//www.jbfinishing.com/ey16/?hDH8rrPx=OMhQXVzdOYCIhTT0BSEMA6phKcoXaKLtXf9SAgrTwWqdcnY/8DJo2joGz5SgJXUP8YoS&kHNXw=VL3phnCxf2
• https[:]//www.ysudveg.buzz/ey16/?kHNXw=VL3phnCxf2&hDH8rrPx=pN2hwVKMu1HtrpP7xxg0YiUeG7eR1sWXZ1Ql522UcBkOnumuNJ9pG2B3VgeemxoUwlNj
• https[:]//ysudveg.buzz
• https[:]//zucchinibenefits.com/zucchini-bread-cake-mix-recipe

IPv4:

• 192.229.64[.]169
• 15.197.148[.]33
• 172.67.149[.]47
• 3.33.130[.]190
• 188.114.96[.]0
• 188.114.97[.]0
• 192.229.211[.]108
• 20.99.133[.]109
• 104.21.55[.]153

IPv6:

• 2606:4700:3030::ac43:952f
• 2606:4700:3034::6815:3799

Hashes:

• c3cab31d3036e4d8d4f24084ecf281cb30463cf2ed2a9c7245 cf4ddf7c11a936

Phrases (Filenames)

• HzlgWIPTnEVQp.exe
• Novo pedido de compra pdf.exe
• Novopedidodecomprapdf.exe
• sJlNPfsZ.exe z52Novopedidodecomprapdf.exe

Conclusion

To enhance our organization’s security, the key point is investigation and hunting. As an analyst or threat hunters, we serve the same purpose. To catch malicious actors and protect our organization. To achieve this purpose I would say to get success %50 investigation %50 to aim correct main purpose of the hunting. During the investigation, there will be distracting findings. All we need to remember purpose of the investigation and targeting the main point. We have to analyze truly the links between outputs. In some cases, you will not find the adversary or your target. This can happen sometimes. That doesn’t mean you are unsuccessful. Sometimes just there is no result. Try to collect IoCs as can you. I want to end my words with a sentence: “What matters is not where the road will take you, but the pleasure you get while traveling that road.”