Rewterz Threat Alert – New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173
July 13, 2020Rewterz Threat Alert – Latest Nanocore RAT- IOCs
July 13, 2020Rewterz Threat Alert – New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173
July 13, 2020Rewterz Threat Alert – Latest Nanocore RAT- IOCs
July 13, 2020Severity
High
Analysis Summary
FormBook is an information-stealer malware that has been active since 2016. The info-stealer malware’s capabilities include stealing credentials, capturing screenshots of victim’s desktop, monitoring clipboard, keystroke logging, clearing browser cookies, downloading and executing files, uploading and removing bots, launching commands via ShellExecute, downloading and unpacking ZIP archive, rebooting and shutting down the system. The attackers behind these email campaigns used a variety of distribution techniques to deliver the FormBook info-stealer, including PDFs, Office Documents, ZIP, RAR, ACE or ICO attachments, as well as shortened URLs.
The lure for this particular infection was a malicious Excel spreadsheet. The initial infection happened immediately after enabling macros. Post-infection traffic was sent to several different domains using URL patterns. Data stolen by Formbook included a screenshot of infected lab host, along with keystroke logs, application passwords, sensitive data from the browser chache, and information contained in the clipboard. This data is temporarily stored in a randomly-named folder under the infected user’s AppData\Roaming directory. These artifacts are deleted after the data is exfiltrated through Formbook command and control (C2) traffic.
Impact
- Credential theft
- Keystroke logging
- Clear browser cookies
- System Reboot
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 148a026124126abf74c390c69fbd0bcebce06b600c6a35630cdce29a85a765fc
- 9ebc903ca6847352aaac87d7f904fe4009c4b7b7acc9b629e5610c0f04dac4ef
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.