Rewterz Threat Alert – Formbook Harvests Financial Data using Phishing

Severity

High

Analysis Summary

Formbook is an information stealer acting as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. Formbook is used in a recent campaign embedded in a malicious Microsoft Excel document which is sent to targets via emails as part of a phishing attack. Attached below is a screenshot of the Excel sheet.

Macros are disabled by default and users are prompted to ‘Enable Content’ upon opening the document.

When “Enable Content” button is clicked within Microsoft Excel, a malicious macro executes a PowerShell script which runs in the background as a child process to wmiprvse.exe. The script uses a bitwise XOR to decode and convert the obfuscated payload. It then makes an external request to an infected WordPress site, and downloads a further payload from hxxp://insumoscerveceros.com.co/wp-admin/network/Purchase.exe.

Impact

• Credential Theft
• Theft of financial information

Indicators of Compromise

IP(s) / Hostname(s)

69[.]175[.]87[.]74

URLs

• hxxp[:]//insumoscerveceros[.]com[.]co/wp-admin/network/Purchase
• hxxp[:]//www[.]insumoscerveceros[.]com[.]co

Malware Hash (MD5/SHA1/SH256)

• c0192628600119942584ddcb680d27de
• bed8975b537f5b9f205263a6dffe9a187290405cec2845e7f59d393d0ecc3bf8
• 8865779fee523e28918da95a15c88c0f14ffc54d04b32c7a42a1fc2fdff4582d
• eac39955e9c12314d1bee73e5878d88d

Remediation

• Block the threat indicators at their respective controls.
• Do not download email attachments coming from unknown sources.
• Always scan files before execution.
• Do not enable macros for irrelevant and unnecessary document files.