Malware Analysis Spotlight: Formbook (September 2020)

A Fresh Look at an Old Problem

Formbook is a well-known malware family of data stealers and form grabbers. Sold as “malware-as-a-service” on hacking forums since early 2016, anyone so inclined can purchase a subscription and use the Formbook tool. It is usually distributed using malspam containing malicious attachments and its reach and effects have been global.

Formbook’s use of advanced techniques to tamper automatic analysis makes it an ongoing, recurrent threat that warrants a second look. In this Malware Analysis Spotlightwe investigate a recent Formbook sample.

View the VMRay Analyzer Report for Formbook (September 2020)

 

Analysis of Formbook

We start our analysis by looking at the evasion techniques, moving forward to the injection schema and concluding with Formbook’s data-stealing behavior.

 

Evasion Techniques

Formbook uses multiple techniques to evade automatic analysis and debugging (Figure 1). Combined with an evasive packer it has fairly comprehensive methods at its disposal. We can observe that the packer detects attached debuggers using CheckRemoteDebuggerPresent and IsDebuggerPresent function calls. It also tries to detect VirtualBox and VMware. If the checks pass the actual payload is extracted. Otherwise, the execution stops and the process exits before the explorer.exe injection.

The payload detects user mode and kernel mode debuggers by using the NtQuerySystemInformation function with SYSTEM_INFORMATION_CLASS ProcessDebugPort (0x7) and SystemKernelDebuggerInformation (0x23) respectively (Figure 1).

 

Figure 1: VMRay Analyzer – Triggered VTI rules regarding Anti-VM.

 

Analysts often rename the sample to their hash values and such a hash is usually 32 characters or longer. One of the other evasions used by Formbook is verifying that the length of the sample’s name is less than 32 characters (Figure 2)

 

Figure 2: VMRay Analyzer – Process overview of a successful evasion.

 

VMRay Analyzer is able to detect if a hash is used instead of a name and gives the user the ability to generate a random name instead (Figure 3).

 

Figure 3: VMRay Analyzer – Detection of hash as the filename

 

To circumvent the behavior monitoring of sandboxes that relies on hooking, Formbook uses a technique its author(s) referred to as Lagos Island method. These sandboxes typically establish hooks on functions exported by the native dll (ntdll.dll) to intercept the control flow and log the behavior.

Instead of using API functions exported by an already loaded ntdll, which can contain hooks, a new copy is manually mapped from the filesystem and its functions are used.

 

Injection Schema

Formbook uses a process started from a Windows built-in tool to hide itself. We notice the usual pattern it uses to achieve the migration (Figure 4.1). First, process #6 injects a section into explorer.exe using a combination of the function NtOpenProcessNtCreateSection and NtMapViewOfSection(Figure 5).

Subsequently, the injected code is executed by hijacking the process #7 explorer.exe’s main thread. This injected code starts execution by creating a new process of  C:\\Windows\\SysWOW64\\netsh.exe which is a Windows tool. After finishing, process #6 uses the same injection method as with process #7, explorer.exe, to map itself and migrate into process #8 netsh.exe (Figure 4.2).

Therefore, the final stage of Formbook is process #8.

 

Figure 4.1: VMRay Analyzer – Process Graph

 

Figure 4.2: VMRay Analyzer – Host Behavior

 

Figure 5: VMRay Analyzer – Function log showing the injection into explorer.exe.

 

Keylogger & Stealing

Formbook intercepts the Windows Messaging System by hooking API functions in the injected processes which allows it to monitor keystrokes (Figure 6).

 

Figure 6: VMRay Analyzer – Hook information about process #7

 

Formbook takes a desktop screenshot and harvests credentials stored on the system from multiple applications (Figure 7):

 

Figure 7: VMRay Analyzer – Data stealing

 

Those are then written in separate log files in a sub-directory of %appData%. To steal the credentials of browsers, Formbook makes a copy of the database and uses winsqlite3 to extract stored information.

 

Conclusion

As one can see, Formbook uses a variety of evasive maneuvers to avoid detection. This sample is also equipped with a packer that has its own artificial environment detection capabilities to extend the overall feature set.

However, the injection schema in this sample is well understood and analyzed using VMRay Analyzer. When Formbook’s evasion methods don’t detect the environment (Analyzer is invisible to most forms of malware), its data-stealing capabilities become immediately visible to observers.

 

IOCs

Sample 72cca77c38132f30a09c57d24815d52ec3d5bb48c19415f52b7a38190b92d17f