Formbook Infostealer Campaigns Continue

Share On Facebook
Share On Twitter
Share On Linkedin

Author: Nathan Toporek

TLP: WHITE

On 30 October, Infoblox observed a malicious email campaign distributing Formbook malware via Roshal Archive (RAR) attachments that contained a malicious binary executable file. Emails in this campaign leveraged a SWIFT invoice lure to persuade victims to open and run the attached files.

Infoblox has observed and reported on several Formbook campaigns in the past.1,2,3,4,5 Some of these campaigns used SWIFT lures to entice victims into opening malicious file attachments, while others used lures like the ongoing COVID-19 pandemic. Threat actors commonly use financial lures and other “urgent” topics such as invoices to convince victims to open files.

Formbook is an infostealer that is sold as a service to threat actors. Its capabilities include process hollowing, clipboard monitoring, keylogging, webform hijacking, screenshotting, downloading additional payloads and communicating with a command and control (C&C) server.

In this campaign, victims received an email urging them to open the attached SWIFT invoice with the subject line Re: Bank Swift TT copy. The file attachment was a RAR file that contained a malicious executable file named Swift TT Copy.exe.

Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.

Endnotes

  1. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Coronavirus Campaigns” April 2020. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–67
  2. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Linked SWIFT-Themed Campaigns Deliver Keyloggers and Infostealers” February 2020. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–58
  3. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Infostealer Campaigns Continue” September 2019. https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–39
  4. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Similar RTF Files Download Lokibot or Formbook” February 2019. http://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–27
  5. Infoblox Cyber Intelligence Unit. “Cyber Campaign Brief: Formbook Information Stealer” January 2019. http://insights.infoblox.com/threat-intelligence-reports/threat-intelligence–24

 

Labels:

Infoblox Threat Intelligence Group

With over 50 years of combined experience, the Infoblox Threat Intelligence Group creates, aggregates and curates information on threats to provide actionable intelligence that is high-quality, timely and reliable. Threat information from Infoblox filters out false positives and gives you the information you need to block the newest threats and to maintain a unified security policy across the entire security infrastructure of your organization.

View All Posts

You might also be interested in

You might also be interested in

×