Formbook Infostealer Campaigns Continue

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Nathan Toporek

TLP: WHITE

On 30 October, Infoblox observed a malicious email campaign distributing Formbook malware via Roshal Archive (RAR) attachments that contained a malicious binary executable file. Emails in this campaign leveraged a SWIFT invoice lure to persuade victims to open and run the attached files.

Infoblox has observed and reported on several Formbook campaigns in the past.1,2,3,4,5 Some of these campaigns used SWIFT lures to entice victims into opening malicious file attachments, while others used lures like the ongoing COVID-19 pandemic. Threat actors commonly use financial lures and other “urgent” topics such as invoices to convince victims to open files.

Formbook is an infostealer that is sold as a service to threat actors. Its capabilities include process hollowing, clipboard monitoring, keylogging, webform hijacking, screenshotting, downloading additional payloads and communicating with a command and control (C&C) server.

In this campaign, victims received an email urging them to open the attached SWIFT invoice with the subject line Re: Bank Swift TT copy. The file attachment was a RAR file that contained a malicious executable file named Swift TT Copy.exe.

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Coronavirus Campaigns” April 2020. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–67
  2. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Linked SWIFT-Themed Campaigns Deliver Keyloggers and Infostealers” February 2020. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–58
  3. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Infostealer Campaigns Continue” September 2019. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–39
  4. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Similar RTF Files Download Lokibot or Formbook” February 2019. http://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–27
  5. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Information Stealer” January 2019. http://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–24

 

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×