Formbook is a well-known malware family of data stealers and form grabbers. Sold as “malware-as-a-service” on hacking forums since early 2016, anyone so inclined can purchase a subscription and use the Formbook tool. It is usually distributed using malspam containing malicious attachments and its reach and effects have been global.
Formbook’s use of advanced techniques to tamper automatic analysis makes it an ongoing, recurrent threat that warrants a second look. In this Malware Analysis Spotlight, we investigate a recent Formbook sample.
We start our analysis by looking at the evasion techniques, moving forward to the injection schema and concluding with Formbook’s data-stealing behavior.
Formbook uses multiple techniques to evade automatic analysis and debugging (Figure 1). Combined with an evasive packer it has fairly comprehensive methods at its disposal. We can observe that the packer detects attached debuggers using
IsDebuggerPresent function calls. It also tries to detect VirtualBox and VMware. If the checks pass the actual payload is extracted. Otherwise, the execution stops and the process exits before the explorer.exe injection.
The payload detects user mode and kernel mode debuggers by using the
NtQuerySystemInformation function with
SYSTEM_INFORMATION_CLASS ProcessDebugPort (0x7) and SystemKernelDebuggerInformation (0x23) respectively (Figure 1).
Figure 1: VMRay Analyzer – Triggered VTI rules regarding Anti-VM.
Analysts often rename the sample to their hash values and such a hash is usually 32 characters or longer. One of the other evasions used by Formbook is verifying that the length of the sample’s name is less than 32 characters (Figure 2)
Figure 2: VMRay Analyzer – Process overview of a successful evasion.
VMRay Analyzer is able to detect if a hash is used instead of a name and gives the user the ability to generate a random name instead (Figure 3).
Figure 3: VMRay Analyzer – Detection of hash as the filename
To circumvent the behavior monitoring of sandboxes that relies on hooking, Formbook uses a technique its author(s) referred to as Lagos Island method. These sandboxes typically establish hooks on functions exported by the native dll (ntdll.dll) to intercept the control flow and log the behavior.
Instead of using API functions exported by an already loaded ntdll, which can contain hooks, a new copy is manually mapped from the filesystem and its functions are used.
Formbook uses a process started from a Windows built-in tool to hide itself. We notice the usual pattern it uses to achieve the migration (Figure 4.1). First, process #6 injects a section into explorer.exe using a combination of the function
Subsequently, the injected code is executed by hijacking the process #7 explorer.exe’s main thread. This injected code starts execution by creating a new process of
C:\\Windows\\SysWOW64\\netsh.exe which is a Windows tool. After finishing, process #6 uses the same injection method as with process #7, explorer.exe, to map itself and migrate into process #8 netsh.exe (Figure 4.2).
Therefore, the final stage of Formbook is process #8.
Figure 4.1: VMRay Analyzer – Process Graph
Figure 4.2: VMRay Analyzer – Host Behavior
Figure 5: VMRay Analyzer – Function log showing the injection into explorer.exe.
Formbook intercepts the Windows Messaging System by hooking API functions in the injected processes which allows it to monitor keystrokes (Figure 6).
Figure 6: VMRay Analyzer – Hook information about process #7
Formbook takes a desktop screenshot and harvests credentials stored on the system from multiple applications (Figure 7):
Figure 7: VMRay Analyzer – Data stealing
Those are then written in separate log files in a sub-directory of %appData%. To steal the credentials of browsers, Formbook makes a copy of the database and uses winsqlite3 to extract stored information.
As one can see, Formbook uses a variety of evasive maneuvers to avoid detection. This sample is also equipped with a packer that has its own artificial environment detection capabilities to extend the overall feature set.
However, the injection schema in this sample is well understood and analyzed using VMRay Analyzer. When Formbook’s evasion methods don’t detect the environment (Analyzer is invisible to most forms of malware), its data-stealing capabilities become immediately visible to observers.