Recent Formbook Coronavirus Campaigns

Share On Facebook
Share On Twitter
Share On Linkedin

Our desire for timely information on Coronavirus helps propel malevolent social engineering to success around this theme. From 24 March through 2 April, Infoblox observed several malicious spam (malspam) campaigns delivering Formbook malware. The campaigns are loosely connected by a Coronavirus or COVID-19-related theme in their subject lines or file attachment names.

Formbook is an information stealer (infostealer) that is sold as a service to threat actors. Its capabilities include process hollowing, clipboard monitoring, keylogging, webform hijacking, screenshotting, downloading additional payloads, and communicating with a command and control (C2) server.

All of the campaigns we observed used a Coronavirus theme, or were related to a campaign that did. One of the campaigns spoofed a message from the World Health Organization (WHO), alleging to provide a safety instruction manual. A second urged the recipient to provide a price quote on surgical masks for COVID-19. The final set of campaigns had shipping themes, some related to vessel delays due to the Coronavirus crisis.

Malspam subject lines:

  • H.O: URGENT CORONA VIRUS  INSTRUCTION
  • URGENT RFQ FOR Medical- Surgical Mask – ordinary face mask plz is urgent regards (COVID19)
  • VESSEL DELAY LETTER-COVID-19
  • RE: SHIPMENT VESSEL DELAY LETTER – (Coronavirus Crisis Lock down)
  • M/T SUN SHINE  / V-G2006 / DUE CHINA OR TANGJUNG PELEPAS, MALAYSIA FOR LOADING – AGENT APPOINTMENT
  • RE: M/T ITHA BHUM  / V.309S / DUE KOREA OR TANGJUNG PELEPAS, INDONESIA FOR LOADING – AGENT APPOINTMENT
  • MT RADIANT PRIDE – REQ. NO. RAPRI-V20-200669
  • M/V A RACER // REQ, ARC 052/20
  • SEA PALACE V.05/2020 ^.+Singapore_Cigading.+$
  • re:ship doc
  • R21 CUTUP FACTORY COST SHEET – QPS

Malspam attachment file names:

  • H.O URGENT CORONA VIRUS  INSTRUCTIONS.zip
  • RFQ-QUOTAION-31-03-2020.rar
  • VESSEL DELAY LETTER.docx
  • VSL DELAY LETTER 31-03-2020.docx
  • VSL DELAY LETTER 01-04-20.docx
  • ARC 052.20.docx
  • MT SUN SHINE (V-G2006)-Q88.docx

Infoblox’s full report on these campaigns will be available soon on our Threat Intelligence Reports page.

Labels:

Infoblox Threat Intel

Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access give us a backstage pass to the internet's inner workings. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get the benefits of it, along with ridiculously low false positive rates.

View All Posts

You might also be interested in

You might also be interested in

×