Seqrite Lab recently uncovered a sophisticated phishing campaign leveraging old payloads to deploy the infamous Formbook stealer. Known for its evolution since 2016, Formbook continues to demonstrate advanced stealth features and evasion tactics, maintaining its notoriety in the malware-as-a-service (MaaS) market.
The campaign begins with a spear-phishing email containing a malicious attachment disguised as a purchase order. Upon extracting the zip file, the victim encounters a single executable file, “PurchaseOrder.exe,” which acts as the first stage of a three-layer attack. The following stages include the deployment of “Arthur.dll” and “Montero.dll,” leading to the execution of the final MASM-compiled payload.
Seqrite Lab notes: “While the evasion technique remains the same, multiple layers are used before deploying the payload, and they are loaded only in memory to avoid getting identified.”
Key Features of the Formbook Variant
- Steganography for Concealment: This variant employs steganography, embedding malicious files inside images. These files are decrypted and loaded into memory, bypassing traditional detection mechanisms.
- Multi-Stage Encryption:
- Stage 1: The malware decrypts the second stage, “Arthur.dll,” from resources embedded in “PurchaseOrder.exe.”
- Stage 2: Decrypts an image file, extracting its pixel data to retrieve “Montero.dll.”
- Stage 3: Executes process hollowing, targeting legitimate processes like MSBuild.exe and vbc.exe to evade detection.
- Mutex Creation for Instance Control: The malware ensures a single instance by creating a mutex. If the mutex already exists, it terminates itself, a technique that Seqrite highlights as common among advanced malware families.
The final payload introduces robust mechanisms for persistence and anti-detection:
- It adds its path to antivirus exclusion lists using PowerShell in hidden mode.
- Creates scheduled tasks with hidden attributes to execute malicious commands from XML files.
- Deletes temporary files to erase traces and complicate analysis.
Seqrite further explains: “This XML file is created in the %temp% location, then updates required values such as ‘Location’ and ‘USERID,’ and creates scheduled tasks to maintain persistence.”
Related Posts:
- Malicious Emails Bypass Secure Email Gateways, Delivering FormBook Malware
- From SideCopy to Transparent Tribe: Pakistan APTs Hit Indian Government With RATs
- Cyber-Espionage Campaign Unveiled: Operation Cobalt Whisper Hits Sensitive Industries
- Sophisticated Campaign Targets Manufacturing Industry with Lumma Stealer and Amadey Bot
- Malware Alert: Banshee Stealer Targets macOS Users
