Rewterz Threat Alert – FormBook Malware – Active IOCs

Severity

Medium

Analysis Summary

FormBook is an infostealer malware that was first identified in 2016. It tracks and monitors keystrokes, finds and accesses files, takes screenshots, harvests passwords from various browsers, drops files, and downloads, and executes stealthier malware in response to orders from a command-and-control server (C2). 

Formbook is known for its versatility, as it can be customized to target specific systems or applications. It is also designed to evade detection by security software, using techniques such as code obfuscation and encryption.

It disguises its original payload and injects itself into legitimate processes to avoid detection and complicate the removal process. The cybercriminals behind these email campaigns used a variety of distribution techniques to deliver this malware, including PDFs, Office Documents, ZIP, RAR, etc. This malware was used by cyber threat actors to attack Ukrainian targets in 2022 during the conflict between Russia and Ukraine. Currently, it is believed that the virus known as XLoader is Formbook’s successor.

To protect against Formbook and other malware, it is important to keep software up-to-date, use strong passwords, and be cautious when downloading software or opening email attachments. Antivirus and anti-malware software can also help detect and remove Formbook infections.

Impact

• Credential Theft
• Data Theft
• Keystroke Logging

Indicators of Compromise

MD5

• 14ad1bd74a92b15cb43d69698a44f48f
• 7efeff7e5f25b22273eab9e0dbb54171
• 07d88b39efd596674939bdcb015965ac
• 5bd5428d85868bdcdde85376b59f6bcc
• accc0f01ddef889541b6dd8ba26983d1
• 0657dda4137717c2dc9c4da12cea6b0e
• 70eaa6ae1ecad9b014dc74c309cd7375

SHA-256

• b8f118372fddf19c9ec290fb43e0c3f8154f45c1d8ec9c119ebd0c8d83b606f0
• 8371116d95aa209dd33ab56ef48b991b23c0882d04efe59bee73039077565197
• 793fd72de26ca82fbb56a14449a994058f34b4dc3fa1e7562ad32e5b405d3659
• 4dce4459e53e569a20c892efadb0424a4698bf5f67d16e7b73668dc2e172663e
• 00cfe203d12d732e66ba6f2bfbd6b7dff900b2c7b90cba95a435f9f78adafeca
• dee9f9c3981971bad83e2d8e0735f699a74dfb1be01da7a7bf8b7dd584a731dc
• 787749eb7f58d153e79642ec221d253fc05da6fe31db65e423f14d02ab4d87e5

SHA-1

• 28da0201f1982232e1ab2f81ed2909a302902201
• c7d70a0a745a0618b00eb4ffe6f15a0e32beb87f
• cb003424683e922dcd18ea8dc3fe6db72fd5e694
• 4bb3b3e12d29742722c9d56b76140b32f6089352
• 11e06be084a9cacc3b2efd6dccfe2150157efd54
• 56271588e5b2c41c888997cb03ad4fc505f60c1e
• b33e152dce0ff8edce7b8a3b846b4ab5d554f2ea

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.