{"id":90185,"date":"2021-07-21T19:58:50","date_gmt":"2021-07-21T14:28:50","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90185"},"modified":"2023-08-08T18:18:35","modified_gmt":"2023-08-08T12:48:35","slug":"formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data\/","title":{"rendered":"FormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to steal data"},"content":{"rendered":"

Quick Heal<\/a> Security Lab has seen a sudden increase in dotnet samples which are using steganography. Initially, in the static analysis, not much information is available. It resembles some simple application going by the method name. On the dynamic side, some show the activity but another check for sandboxing<\/a> environment. Apart from this, even on execution, it loads multiple memory stages that contain numerous long periods of sleep.\u00a0 One such file received in our lab was of Formbook malware. Formbook stealer has been sold on hacking forms since 2016 as-a-service.<\/p>\n

In this blog, we will go through those multiple stages and analysis of the final payload. The final payload is also complicated due to various threads creation and sleeps in between.<\/p>\n

Technical Analysis<\/strong><\/p>\n

\"\"<\/p>\n

SSO.exe<\/strong><\/p>\n

In the resource of sso.exe, there is an image that indicates the use of Steganography. However, this resource is not used at this level. There is one more resource present which initially is difficult to find. While going through the code of decryption, this 2nd resource was identified as stage 1.<\/p>\n

\"\"
Figure 1 GregorianCalendar in Resource, contains stage 2 file<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Figure 2 Another Resource naming Tree, just below the blue line there are some red dots visible, contains stage 1 file<\/figcaption><\/figure>\n

At the entry point, there is a single line code to execute the form.<\/p>\n

\"\"
Figure 3 Main function, calls the constructor of Form1 which decrypts stage 1 file<\/figcaption><\/figure>\n

If we go to the Form1 code, there isn\u2019t much information present. But when we check the Form1 class, we can see in its constructor a call to method ISectionEntry.<\/p>\n

\"\"
Figure 4 Constructor Code, call to decryption routine of stage 1 file<\/figcaption><\/figure>\n

ISectionEntry contains the code to get Pixels(Fig 5), convert to integer and save it in an array(Fig 6) and then call to MessageSurrogateFilter(array) with the buffer passed as a parameter.<\/p>\n

\"\"
Figure 5 Decryption Routine from Image, decrypting stage 1 PE file<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Figure 6 Buffer Containing stage 1 PE file<\/figcaption><\/figure>\n

MessageSurrogateFilter() method then loads the decrypted assembly (SimpleUI.dll) into the memory and invokes its SeclectorX() method with some arguments, which will be explained later in Stage 1.<\/p>\n

\"\"
Figure 7 Assembling Loading of stage 1 in Memory and invoking its member SelectorX with resource name, decryption key and assembly name<\/figcaption><\/figure>\n

 <\/p>\n

\"\"
Figure 8 SimpleUI.dll loaded in memory<\/figcaption><\/figure>\n

 <\/p>\n

Stage 1:<\/strong><\/p>\n

\"\"
Figure 9 SimpleUI.dll<\/figcaption><\/figure>\n
    \n
  • Since there are not many methods present in this file, we directly go through the code of the SelectorX method. As we can see in Figure 7, there are three values passed to this function which are:<\/li>\n
  • RestrictedError = 477265676F7269616E43616C656E646172 = GregorianCalendar (Name of resource in Main file, resource shown in Fig 1)<\/li>\n
  • ValueEnumerator = 72584C4F594D6D556D = rXLOYMmUm (Key for decryption)<\/li>\n
  • Project Name= Agent.Common (Main File)<\/li>\n
  • cba() method contains the code to get the Pixels from the image and convert to Integer and save it in an array, and XeH contains code to convert the hex value into a string.<\/li>\n<\/ul>\n
    \"\"
    Figure 10 SelectorX method accesses the GregorianCalendar resource from main assembly and decrypts it using the key passed under fgh() method<\/figcaption><\/figure>\n

     <\/p>\n

    \"\"
    Figure 11 Size of Buffer to be initialized for stage 2<\/figcaption><\/figure>\n

    fgh() method\u2019s decryption routine is a simple XOR with 2 values in which the \u201cbytes\u201d array contains a Unicode version of the Key (mentioned as ValueEnumerator above).<\/p>\n

    \"\"
    Figure 12 fgh() method code for decryption, normal xoring<\/figcaption><\/figure>\n

    After decryption, the assembly is again loaded in Memory.<\/p>\n

    \"\"
    Figure 13 Stage 2 assembly loaded in memory<\/figcaption><\/figure>\n

    Stage 2:<\/strong><\/p>\n

    \"\"
    Figure 14 Stage 2 Assembly<\/figcaption><\/figure>\n

    It becomes difficult to analyze with these unicoded function name.<\/p>\n

    \"\"
    Figure 15 Stage2 Unicode method names<\/figcaption><\/figure>\n

    In this stage 2 assembly, a method named Fedree() is called, whose constructor contains the code to decrypt and inject the final payload.<\/p>\n

    In the decryption routine first, the name of the resource is decrypted to s2pCN (resource in stage 2), Loads the resource and passes it to the XOR_DEC along with a KEY. Decrypted buffer is then passed to Unscramble function where it brings another dotnet file.<\/p>\n

    \"\"
    Figure 16 Decryption routine in Stage 2 which brings final payload<\/figcaption><\/figure>\n

    XOR_DEC contain simple xor with obfuscated code.<\/p>\n

    \"\"
    Figure 17 Xor_Dec method decrypts the final payload<\/figcaption><\/figure>\n

    Unscramble function forms the final payload.<\/p>\n

    \"\"
    Figure18 Unscramble Method code brings final payload PE file<\/figcaption><\/figure>\n

    After decryption, it does process hollowing by creating sso.exe\u2019s process in suspended mode.<\/p>\n

    \"\"
    Figure 19 Process Hollowing Code to inject the final payload<\/figcaption><\/figure>\n

     <\/p>\n

    \"\"
    Figure 20 Flag to CreateProcess in Suspended Mode<\/figcaption><\/figure>\n

    Final Payload:<\/strong><\/p>\n

    The injected file is the final Payload of Formbook, which has around 1500 methods with random names.<\/p>\n

    This contains 2 different Base64 encoded strings.<\/p>\n

    \"\"
    Figure 21 Encoded String 1 contains CnC information and configuration<\/figcaption><\/figure>\n

    2nd<\/sup> base64 string contains 5 modules which are later loaded in memory and executed.<\/p>\n

    \"\"
    Figure 22 Encoded String 2<\/figcaption><\/figure>\n

    The strings are converted from base64, then reversed and replaced by specified characters and again base64 decoded.<\/p>\n

    \"\"
    Figure 23 Decryption Routine to decrypt CnC details in string 1 and different modules present in string 2<\/figcaption><\/figure>\n

     <\/p>\n

    The resultant data for 1st <\/sup>\u00a0decoded string is CnC servers, mutex name and some configurations.<\/p>\n

    \"\"
    Figure 24 Decoded string 1 data<\/figcaption><\/figure>\n

     <\/p>\n

    It also creates a bat file to check for network connection and again start the process and delete the bat file.<\/p>\n

    \"\"
    Figure 25 Content of Bat file<\/figcaption><\/figure>\n

     <\/p>\n

    After decrypting the data it checks for the mutex if already present it exits. In configuration the value of \u201cAUR\u201d tag is true, it takes 2 running process\u2019s names, from 1 it takes the name of the process, from the other it takes any folder name from the parent directory and copies itself to this location with first\u2019s process name. Along with this, it keeps a file with a name as a hash of process name and some randomly generated garbage data.<\/p>\n

    \"\"
    Figure 26 Copies itself to various locations obtained from running processes path and also obtains the name from the same<\/figcaption><\/figure>\n

     <\/p>\n

    It also schedules tasks for these copied files.<\/p>\n

    \"\"
    Figure 27 \u00a0Creates Schedule task for the copied files<\/figcaption><\/figure>\n

    Next, it loads different modules which it has decoded initially and loads them into memory and invokes different methods.<\/p>\n

    \"\"
    Figure 28 code to Load different modules and call to different methods based on their availability<\/figcaption><\/figure>\n

     <\/p>\n

    Then it tries to steal browser information like cookies, passwords, forms, history, autofill, credit card information also takes screenshots, clipboard data, discord tokens, FileZilla, telegram data, discord tokens, steam data.<\/p>\n

    There was also a module that will compile the code for DCRat at runtime on receiving commands from CnC.<\/p>\n

    \"\"
    Figure 29 Code to compile DCRat code at runtime<\/figcaption><\/figure>\n

     <\/p>\n

    Other different modules present are:<\/p>\n

      \n
    1. AntiAnalysis Module<\/strong><\/li>\n<\/ol>\n

      It has kept all strings in encrypted form under a list of various techniques.<\/p>\n

      \"\"
      Figure 30 Encoded Values for Strings used in anti-analysis module<\/figcaption><\/figure>\n

      Contains various techniques to identify if it\u2019s running under VM or Sandboxing environment if there are any monitoring processes running. Also, a way to identify VM\/Sandboxing is by checking physical Memory.<\/p>\n

      \"\"
      Figure 31 Anti Analysis Module<\/figcaption><\/figure>\n

       <\/p>\n

        \n
      1. USBSpreadDCLIB Module<\/strong><\/li>\n<\/ol>\n

        Contains code to spread to USB drives by creating an autorun.<\/p>\n

        \"\"
        Figure 32 USBSPreadDCLIB module<\/figcaption><\/figure>\n
          \n
        1. MiscellaneousInfoGraber module<\/strong><\/li>\n<\/ol>\n

          Contains code to collect a List of installed software\u2019s, running processes, time zone information, active TCP connections, local network connections available, list of connected USB drives.<\/p>\n

          \"\"
          Figure 33 Collects registry for uninstalling entries<\/figcaption><\/figure>\n

           <\/p>\n

          \"\"
          Figure 34 List of Running processes<\/figcaption><\/figure>\n

           <\/p>\n

          \"\"
          Figure 35 TimeZone information<\/figcaption><\/figure>\n

           <\/p>\n

            \n
          1. FileGrabber module<\/strong><\/li>\n<\/ol>\n

            Collects all the files<\/p>\n

            \"\"
            Figure 36 File Grabber Modules collects files<\/figcaption><\/figure>\n
              \n
            1. BSODProtection Module<\/strong><\/li>\n<\/ol>\n

              At this point, this module is not in a complete state. This shows that it is still under development.<\/p>\n

               <\/p>\n

              Conclusion:<\/strong><\/p>\n

              This seems to be malware that is still being developed. We haven\u2019t received Initial Vector yet, but it appears to be downloaded by a malicious doc\/Xls file, which is spread through emails. Users should avoid opening emails, documents sent by unknown senders and keep the AV updated. We detect all the modules and stages with Trojan. Formbook and Trojan.YakbeexMSIL.ZZ4<\/p>\n

              \u00a0<\/strong><\/p>\n

              MITRE ATT&CK TTPs:<\/strong><\/p>\n\n\n\n\n\n\n\n\n\n
              Virtualization\/Sandbox Evasion: System Checks<\/td>\nT1497.001<\/td>\n<\/tr>\n
              Scheduled Task\/Job<\/td>\nT1053<\/td>\n<\/tr>\n
              Process Injection: Process Hollowing<\/td>\nT1055.012<\/td>\n<\/tr>\n
              Masquerading<\/td>\nT1036<\/td>\n<\/tr>\n
              Credentials from Password Stores<\/td>\nT1555<\/td>\n<\/tr>\n
              Clipboard Data<\/td>\n\u00a0T1115<\/td>\n<\/tr>\n
              Data from Configuration Repository<\/td>\nT1602<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

              IOC:<\/strong><\/p>\n

                \n
              • 1D13A84AA671B75F66F4C7FCE8339619291D4A43 exe<\/li>\n
              • 6C73DC53F1AF57E1B2B404F2E20A9AECBAA80051 dll<\/li>\n
              • DC7CF9544AA5B4928697B4C49C94A60211F025A1 dll<\/li>\n
              • 9577B2B5C4FBA6B2AFA65C5161FCE75F48E75D5D dll<\/li>\n
              • 7E314AE69FC9A613A4A5356556F73E027B540141 dll<\/li>\n
              • 32D97D1729D9A5919CBE1AE76F46BCDB9620153C dll<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

                Quick Heal Security Lab has seen a sudden increase in dotnet samples which are using steganography. Initially, in the static analysis, not much information is available. It resembles some simple application going by the method name. On the dynamic side, some show the activity but another check for sandboxing environment. Apart from this, even on […]<\/p>\n","protected":false},"author":94,"featured_media":90233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,303,1],"tags":[1845,1846,534,1326,49,72,25,40],"class_list":["post-90185","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-phishing","category-uncategorized","tag-formbook","tag-powerpoint","tag-cybersecurity","tag-infostealer","tag-malware","tag-microsoft","tag-phishing","tag-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90185"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/94"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90185"}],"version-history":[{"count":11,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90185\/revisions"}],"predecessor-version":[{"id":91455,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90185\/revisions\/91455"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90233"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}