A Fresh Look at an Old Problem
Formbook is a well-known malware family of data stealers and form grabbers. Sold as “malware-as-a-service” on hacking forums since early 2016, anyone so inclined can purchase a subscription and use the Formbook tool. It is usually distributed using malspam containing malicious attachments and its reach and effects have been global.
Formbook’s use of advanced techniques to tamper automatic analysis makes it an ongoing, recurrent threat that warrants a second look. In this Malware Analysis Spotlight, we investigate a recent Formbook sample.
View the VMRay Analyzer Report for Formbook (September 2020)
Analysis of Formbook
We start our analysis by looking at the evasion techniques, moving forward to the injection schema and concluding with Formbook’s data-stealing behavior.
Evasion Techniques
Formbook uses multiple techniques to evade automatic analysis and debugging (Figure 1). Combined with an evasive packer it has fairly comprehensive methods at its disposal. We can observe that the packer detects attached debuggers using CheckRemoteDebuggerPresent and IsDebuggerPresent function calls. It also tries to detect VirtualBox and VMware. If the checks pass the actual payload is extracted. Otherwise, the execution stops and the process exits before the explorer.exe injection.
The payload detects user mode and kernel mode debuggers by using the NtQuerySystemInformation function with SYSTEM_INFORMATION_CLASS ProcessDebugPort (0x7) and SystemKernelDebuggerInformation (0x23) respectively (Figure 1).
Analysts often rename the sample to their hash values and such a hash is usually 32 characters or longer. One of the other evasions used by Formbook is verifying that the length of the sample’s name is less than 32 characters (Figure 2)
VMRay Analyzer is able to detect if a hash is used instead of a name and gives the user the ability to generate a random name instead (Figure 3).
To circumvent the behavior monitoring of sandboxes that relies on hooking, Formbook uses a technique its author(s) referred to as Lagos Island method. These sandboxes typically establish hooks on functions exported by the native dll (ntdll.dll) to intercept the control flow and log the behavior.
Instead of using API functions exported by an already loaded ntdll, which can contain hooks, a new copy is manually mapped from the filesystem and its functions are used.
Injection Schema
Formbook uses a process started from a Windows built-in tool to hide itself. We notice the usual pattern it uses to achieve the migration (Figure 4.1). First, process #6 injects a section into explorer.exe using a combination of the function NtOpenProcess, NtCreateSection and NtMapViewOfSection(Figure 5).
Subsequently, the injected code is executed by hijacking the process #7 explorer.exe’s main thread. This injected code starts execution by creating a new process of C:\\Windows\\SysWOW64\\netsh.exe which is a Windows tool. After finishing, process #6 uses the same injection method as with process #7, explorer.exe, to map itself and migrate into process #8 netsh.exe (Figure 4.2).
Therefore, the final stage of Formbook is process #8.
Keylogger & Stealing
Formbook intercepts the Windows Messaging System by hooking API functions in the injected processes which allows it to monitor keystrokes (Figure 6).
Formbook takes a desktop screenshot and harvests credentials stored on the system from multiple applications (Figure 7):
Those are then written in separate log files in a sub-directory of %appData%. To steal the credentials of browsers, Formbook makes a copy of the database and uses winsqlite3 to extract stored information.
Conclusion
As one can see, Formbook uses a variety of evasive maneuvers to avoid detection. This sample is also equipped with a packer that has its own artificial environment detection capabilities to extend the overall feature set.
However, the injection schema in this sample is well understood and analyzed using VMRay Analyzer. When Formbook’s evasion methods don’t detect the environment (Analyzer is invisible to most forms of malware), its data-stealing capabilities become immediately visible to observers.
| Sample |
72cca77c38132f30a09c57d24815d52ec3d5bb48c19415f52b7a38190b92d17f |
