FormBook stealer: Data theft made easy

Posted on 2018-06-22 by Adam Swanda

The FormBook information stealing malware, being advertised as providing an "extensive and powerful internet monitoring experience", has clearly caught the eye of threat actors since its debut on underground forums in 2016. Due to its low price, it is easily available to a variety of actors and has therefore been distributed with varying methods of complexity and shows no signs of slowing down. The malware provides a variety of data theft capabilities such as stealing stored passwords from local applications, recording user keystrokes, browsing and interacting with files on the infected host, taking screenshots, and more. Although the information stealing functionality seems rather standard, the measures FormBook takes to avoid analysis makes this malware family difficult to detect and analyze, making the stealer all the more appealing to malicious actors looking for a new take on an old threat.

Unlike many of the more wide-spread malware families in distribution that are sold on hidden marketplaces or Tor forums, FormBook is available on popular websites such as the popular HackForums.net. Being sold on highly accessible forums for as little as $30 per week, threat actors are provided with a very low barrier to entry for launch attacks.

The following screenshot shows a section of an advertisement discovered on HackForums showcasing the low price of the malware:

Forum Advertisement

Distributed mostly through phishing emails, documented campaigns have utilized varying degrees of sophistication from basic email attachments to the usage of multiple exploits for infection. For example, Cisco recently reported on their tracking of a phishing campaign using both CVE-2017-0199 and CVE-2017-11882., and SANS covered the malware being distributed with CVE-2017-8570.

Installation & Evasion

After being delivered to the victim computer, FormBook will copy itself to one of two locations depending on the privileges the malware is executing with. When running as a normal user, the malware will be dropped to %TEMP% or %APPDATA, while elevated privileges see the binary stored in either %ProgramFiles% or %CommonProgramFiles%.

FormBook then leverages several anti-analysis techniques to ensure it is not being analyzed or executed within a virtual machine by looking for the existence of running processes common to VM's and analysis tools. The malware will check for the existence of the following running processes:

  • vmtoolsd.exe
  • vmwareuser.exe
  • vmwareservice.exe
  • vmsrvc.exe
  • vmusrvc.exe
  • vboxtray.exe
  • vboxservice.exe
  • wireshark.exe
  • procmon.exe
  • regmon.exe
  • filemon.exe

In addition to investigating running processes FormBook also checks the USERNAME environment variable in an attempt to detect sandbox environments and also looking for the existence of both kernel and userland debuggers.

While these types of checks are standard for malware, they are increased in complexity within FormBook due to the string encryption methods employed throughout the malware execution. All common strings one might find in a malware sample, such as the names of processes it is attempting to evade, command and control servers, or processes the malware will be injected into are all only decoded when they are needed. Also, the API calls used by the malware are performed at runtime only by making use of function name hashing.

Arbor Networks has previously authored a blog post which describes the string encryption techniques and API hashing functions in excellent detail.

To assist in analysis, ThisIsSecurity has also provided a Python script to decrypt hashed strings found within the malware.

Staging

Once all of the anti-analysis checks are passed, FormBook will inject then itself into the running explorer.exe process. This is done by iterating over all running processes and searching for the CRC32 checksum of the explorer process name. Often the injection into the explorer process will be the final resting place of malware, though for FormBook it is only used as a temporary staging ground.

FormBook will then create and inject itself into a new Windows process, chosen randomly from a list of encrypted process names. Only then will it begin its harvesting of information from an infected system.

The following list contains the possible processes the malware chooses from for this stage:

  • audiodg.exe
  • autochk.exe
  • autoconv.exe
  • autofmt.exe
  • chkdsk.exe
  • cmd.exe
  • cmmon32.exe
  • cmstp.exe
  • colorcpl.exe
  • control.exe
  • cscript.exe
  • dwm.exe
  • explorer.exe
  • help.exe
  • ipconfig.exe
  • lsass.exe
  • lsm.exe
  • msdt.exe
  • msg.exe
  • msiexec.exe
  • mstsc.exe
  • napstat.exe
  • nbtstat.exe
  • netsh.exe
  • netstat.exe
  • raserver.exe
  • rdpclip.exe
  • rundll32.exe
  • services.exe
  • spoolsv.exe
  • systray.exe
  • svchost.exe
  • taskhost.exe
  • WWAHost.exe
  • wininit.exe
  • wlanext.exe
  • wscript.exe
  • wuapp.exe
  • wuauclt.exe

Persistence

After injection into the newly created process, FormBook will then delete the original payload and setup itself up for persistence. The persistence method is rather standard for malware in general, considering how in-depth the majority of the malware execution is in attempting to avoid detection and analysis. FormBook creates merely a registry entry pointing to the path of the copied payload that was created upon initial execution into one of the two locations: SOFTWARE\Microsoft\Windows\CurrentVersion\Run or SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, depending on the privilege level the malware is running with.

Information Harvesting

Running within the context of the previously created Windows process, FormBook will begin to iterate over all running processes in search of targeted applications. Once an application is detected that the malware supports, it will then inject itself into the target application and install API hooks specific to its target.

For example, web browsers will have hooks installed on functions such as HttpSendRequest and WSASend to identify requests being sent with strings such as login, username and password, among several others.

Collected data is temporarily stored in files within the %APPDATA% directory before being sent back to the C&C server.

The following redacted screenshots of the FormBook administration panel highlight the supported applications as well as the view the threat actor is given of stolen information returned from the victim:

FormBook Admin Panel
Stolen Data

In addition to its credential theft and general monitoring capabilities, actors operating the malware can push instructions to infected hosts to perform tasks such as running arbitrary system commands, downloading and executing files, and adding new user accounts to the system.

Task Execution

Summary

While the information stealing features of FormBook may seem like common functionality for malware, the real power comes in its profoundly deceptive execution tactics and obfuscated code. Also, the low price and wide availability of the malware provide the means for threat actors of all degrees to launch campaigns targeting user data. It is likely we will continue to see this malware being used in a variety of campaigns.


Detection

InQuest provides support for detecting FormBook's Command & Control traffic through the following signature:

  • Name: HA_FormBook_Beacon
  • EventID: 6000236

With the malware being distributed mainly through phishing emails, detection of the delivery mechanisms provides a means to mitigate this threat before any malicious actions can take place.

As such, InQuest provides detection for exploits used in FormBook's distribution via the following signatures:

  • Name: MC_CVE_2017_0199
  • EventID: 5000583

  • Name: MC_Microsoft_Office_ScriptMoniker_Corruption
  • EventID: 5000775

  • Name: MC_Microsoft_Office_ScriptMonikerPowershell_Corruption
  • EventID: 5000776

  • Name: MC_Malicious_Scriptlet_Payload_01
  • EventID: 5000806

  • Name: MC_Malicious_Scriptlet_Payload_03
  • EventID: 5000808

  • Name: SC_CVE_2017_0199_redir
  • EventID: 3000133

  • Name: MC_Equation_OLE
  • EventID: 5000757

  • Name: MC_CVE_2017_11882_RTF
  • EventID: 5000756

  • Name: MC_CVE_2017_11882_OLE
  • EventID: 5000755

  • Name: SC_Equation_CLSID
  • EventID: 3000235

  • Name: SC_Embedded_Equation_Object_RTF
  • EventID: 3000232

malware-analysis phishing