New FormBook Dropper Harbors Obfuscation, Persistence

Never-before-seen dropper found in FormBook samples that has increased persistence and obfuscation capabilities.

Researchers are warning that a future data-theft attack may be brewing after discovering a new sample of the FormBook malware, with a never-before-seen dropper — i.e. a malicious file that is used in the initial infection stage and installs malware on the system.

FormBook, a browser form-stealer and keylogger, has been under active development since it popped up on hacking forums in 2016.

Just recently,  researchers discovered the malware harboring the new dropper, that they said has capabilities to better achieve persistence on systems and obfuscation to avoid detection, according to Wednesday Cyberbit research shared with Threatpost.

“As these droppers evolve and constantly change, they can easily bypass anti-malware products and therefore make data theft much easier for the attackers,” Hod Gavriel with Cyberbit told Threatpost. “I see it as an evolving threat – [FormBook] keeps unveiling new tricks to avoid detection and I think new, even more sophisticated droppers will be created for it.”

Researchers first discovered the new FormBook sample about two months ago, they told Threatpost.

For FormBook malware, the initial infection process is typically an email campaign containing a malicious PDF, DOC or XLS attachment. After the victim clicks on the attachment, FormBook’s dropper typically immediately loads the malware.

However, unlike in other samples, the new dropper doesn’t merely unpack the malware, but instead installs a file that creates two post-infection processes. Those two processes are: A Microsoft HTML Application Host (mshta.exe) and a dropper (Rhododendrons8.exe).

This suggests that the malware authors are looking to achieve further persistence and obfuscation on systems, according to researchers.

Mshta.exe is used for executing HTML application files and running Visual Basic Scripts.  The purpose of this script is extra persistence: It adds an obfuscated copy of the malware to the registry autorun key on the system – so it will execute as soon as Windows starts.

Mshta.exe also uses simple obfuscation in its script: For instance: “Instead of writing ‘CreateObject’, ‘CrXXteObject’ is written and ‘XX’ is later replaced with ‘ea’. This is done to prevent signature-based tools from detecting this method being in this script,” researchers said.

The second process is another dropper (Rhododendrons8.exe), which unpacks the Formbook payload. That payload is encrypted within the code section of Rhododendrons8.exe and is decrypted using two algorithms. The first algorithm is proprietary, the second is RC4 (a symmetric stream cipher) with a 256-bytes key.

Researchers said that these two processes unpacking the malware “is the first and currently only sample of FormBook data stealing malware we observed that achieves persistence via this method.”

After it is unpacked, “the final, non-encrypted and non-obfuscated payload of FormBook data-stealing malware never resides on the disk, only in the memory, and therefore makes detection much more difficult,” researchers said.

Researchers did not pin the new malware sample to any specific campaigns or threats, but they could be brewing.

Beyond the dropper, “new targets and motivations [are] unknown as our malware research team does not do attribution intel, but it can definitely be a threat to any user since it is difficult to detect a new dropper written from scratch,” said Gavriel.

In 2017, FormBook was used to target aerospace firms, defense contractors and some manufacturing organizations in the United States and South Korea; and more recently in 2018, the malware was spotted in campaigns aimed at financial and information service sectors in the Middle East and United States.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.


Suggested articles