Last Updated: 2017-10-03 02:18:32 UTC
by Brad Duncan (Version: 1)
On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here. Today's diary examines the associated email, traffic, malware, and infected Windows host.
The email is disguised as a FedEx delivery notice. It has a link to a compromised website that's hosting malware. The link points to a supposed document for this fake delivery.
Clicking on the link returned a RAR archive. The RAR archive contains a Windows executable that's poorly-disguised as some sort of receipt.
The malware was downloaded through an HTTPS link, so Wireshark only reveals the domain for that request. All post-infection traffic was HTTP, and it followed patterns already noted in Arbor Networks' write-up on Formbook. I saw plenty of alerts on the post-infection traffic. The Snort subscriber ruleset triggered on user-agent strings in the post-infection traffic, but that activity was identified as Win.Trojan.Punkey. Punkey is Point of Sale (POS) malware, and it's not associated with Formbook traffic. One alert from the EmergingThreats Pro ruleset identified several of the post-infection HTTP requests as Formbook check-in traffic.
Forensics on the infected host
On the infected Windows host, the malware copied itself to the user's AppData\Roaming directory as winz6j8.bat and made itself persistent through the Windows registry. Also under the user's AppData\Roaming directory was a randomly-named folder containing information sent through HTTP POST requests. These files included screenshots of the Windows desktop. They also stored other sensitive data.
The following are indicators seen during the infection from Formbook malspam on Monday 2017-10-02.
- Date/Time: 2017-11-02 at 14:23 UTC
- Subject: Re: Alert: FedEx OFFICE Delivery® ... 17-10-02, at 07:22:11 AM BA
- From: "DOCUMENT2017" <email@example.com>
- Link from the email: hxxps://superiorleather.co.uk/Receipt.r22
Traffic seen when retrieving the RAR archive:
- 18.104.22.168 port 443 - superiorleather.co.uk - GET /Receipt.r22
- 22.214.171.124 port 80 - www.shucancan.com - GET /ch/?id=[80 character ID string]
- 126.96.36.199 port 80 - www.ias39.com - GET /ch/?id=[80 character ID string]
- 188.8.131.52 port 80 - www.fairwaytablet.com - GET /ch/?id=[80 character ID string]
- 184.108.40.206 port 80 - www.chunsujiayuan.com - GET /ch/?id=[80 character ID string]
- 220.127.116.11 port 80 - www.ebjouv.info - GET /ch/?id=[80 character ID string]
- 18.104.22.168 port 80 - www.dailyredherald.com - GET /ch/?id=[80 character ID string]
- 22.214.171.124 port 80 - www.beykozevdenevenakliyatci.com - GET /ch/?id=[80 character ID string]
- 126.96.36.199 port 80 - www.238thrift.com - GET /ch/?id=[80 character ID string]
- 188.8.131.52 port 80 - www.et551.com - GET /ch/?id=[80 character ID string]
- 184.108.40.206 port 80 - www.lesjardinsdemilady.com - GET /ch/?id=[80 character ID string]
- 220.127.116.11 port 80 - www.prfitvxnfe.info - GET /ch/?id=[80 character ID string]
- 18.104.22.168 port 80 - www.craigjrspestservice.com - GET /ch/?id=[80 character ID string]
- 22.214.171.124 port 80 - www.238thrift.com - POST /ch/
- 126.96.36.199 port 80 - www.prfitvxnfe.info - POST /ch/
- File name: Receipt.r22
- File description: RAR archive downloaded from link in the email
- File name: Receipt.exe
- File description: malware extracted from RAR archive - Formbook info stealer
- Post-infection location: C:\Users\[username]\AppData\Roaming\winz6j8.bat
I see more malspam on a daily basis than I did this time last year. Much of it is from fairly well-documented near-daily campaigns like the Necurs Botnet pushing Locky ransomware or Hancitor malspam. But I'm always happy to examine something relatively less-common like the Formbook information stealer.
As always, system administrators and the technically inclined can easily follow best security practices on their Windows computers. It's relatively easy to avoid these types of infections. Well-known techniques like Software Restriction Policies (SRP) or AppLocker can prevent most malspam-based activity.
A copy of the email, traffic, and associated malware for today's diary can be found here.
brad [at] malware-traffic-analysis.net