Author: Nathan Toporek
On 30 October, Infoblox observed a malicious email campaign distributing Formbook malware via Roshal Archive (RAR) attachments that contained a malicious binary executable file. Emails in this campaign leveraged a SWIFT invoice lure to persuade victims to open and run the attached files.
Infoblox has observed and reported on several Formbook campaigns in the past.1,2,3,4,5 Some of these campaigns used SWIFT lures to entice victims into opening malicious file attachments, while others used lures like the ongoing COVID-19 pandemic. Threat actors commonly use financial lures and other “urgent” topics such as invoices to convince victims to open files.
Formbook is an infostealer that is sold as a service to threat actors. Its capabilities include process hollowing, clipboard monitoring, keylogging, webform hijacking, screenshotting, downloading additional payloads and communicating with a command and control (C&C) server.
In this campaign, victims received an email urging them to open the attached SWIFT invoice with the subject line Re: Bank Swift TT copy. The file attachment was a RAR file that contained a malicious executable file named Swift TT Copy.exe.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
- Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Coronavirus Campaigns” April 2020. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–67
- Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Linked SWIFT-Themed Campaigns Deliver Keyloggers and Infostealers” February 2020. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–58
- Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Infostealer Campaigns Continue” September 2019. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–39
- Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Similar RTF Files Download Lokibot or Formbook” February 2019. http://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–27
- Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Information Stealer” January 2019. http://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–24