• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019
Rewterz Threat Alert – Malspam pushing Quasar RAT
September 25, 2019

Rewterz Threat Alert – Formbook Harvests Financial Data using Phishing

September 25, 2019

Severity

High

Analysis Summary

Formbook is an information stealer acting as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. Formbook is used in a recent campaign embedded in a malicious Microsoft Excel document which is sent to targets via emails as part of a phishing attack. Attached below is a screenshot of the Excel sheet.

Macros are disabled by default and users are prompted to ‘Enable Content’ upon opening the document.

Formbook Excel.png

When “Enable Content” button is clicked within Microsoft Excel, a malicious macro executes a PowerShell script which runs in the background as a child process to wmiprvse.exe. The script uses a bitwise XOR to decode and convert the obfuscated payload. It then makes an external request to an infected WordPress site, and downloads a further payload from hxxp://insumoscerveceros.com.co/wp-admin/network/Purchase.exe.

Impact

  • Credential Theft
  • Theft of financial information

Indicators of Compromise

IP(s) / Hostname(s)

69[.]175[.]87[.]74

URLs

  • hxxp[:]//insumoscerveceros[.]com[.]co/wp-admin/network/Purchase
  • hxxp[:]//www[.]insumoscerveceros[.]com[.]co

Malware Hash (MD5/SHA1/SH256)

  • c0192628600119942584ddcb680d27de
  • bed8975b537f5b9f205263a6dffe9a187290405cec2845e7f59d393d0ecc3bf8
  • 8865779fee523e28918da95a15c88c0f14ffc54d04b32c7a42a1fc2fdff4582d
  • eac39955e9c12314d1bee73e5878d88d

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download email attachments coming from unknown sources.
  • Always scan files before execution.
  • Do not enable macros for irrelevant and unnecessary document files.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.