Home / malware
First posted on 18 March 2021.
There are no other names known for FormBook.
FormBook, a browser form-stealer and keylogger, has been under active development since it popped up on hacking forums in 2016.
Just recently, researchers discovered the malware harboring the new dropper, that they said has capabilities to better achieve persistence on systems and obfuscation to avoid detection, according to Cyberbit research shared with Threatpost.
or FormBook malware, the initial infection process is typically an email campaign containing a malicious PDF, DOC or XLS attachment. After the victim clicks on the attachment, FormBook's dropper typically immediately loads the malware.
However, unlike in other samples, the new dropper doesn't merely unpack the malware, but instead installs a file that creates two post-infection processes. Those two processes are: A Microsoft HTML Application Host (mshta.exe) and a dropper (Rhododendrons8.exe).
This suggests that the malware authors are looking to achieve further persistence and obfuscation on systems, according to researchers.
Mshta.exe is used for executing HTML application files and running Visual Basic Scripts. The purpose of this script is extra persistence: It adds an obfuscated copy of the malware to the registry autorun key on the system - so it will execute as soon as Windows starts.
Mshta.exe also uses simple obfuscation in its script: For instance: Instead of writing 'CreateObject', 'CrXXteObject' is written and 'XX' is later replaced with ‘ea'. This is done to prevent signature-based tools from detecting this method being in this script.
The second process is another dropper (Rhododendrons8.exe), which unpacks the Formbook payload. That payload is encrypted within the code section of Rhododendrons8.exe and is decrypted using two algorithms. The first algorithm is proprietary, the second is RC4 (a symmetric stream cipher) with a 256-bytes key.
After it is unpacked, the final, non-encrypted and non-obfuscated payload of FormBook data-stealing malware never resides on the disk, only in the memory, and therefore makes detection much more difficult.
Last update 18 March 2021