Security researchers from Arbornetworks and FireEye identified a Sophisticated Malware(FormBook malware) campaigns targetting Aerospace, Defense Contractor, and Manufacturing sectors around U.S. and South Korea
The Malware is highly Sophisticated and injects itself in various process memory and can record keystrokes, Clipboard Contents and HTTP Sessions. Also, it responds to commands from C&C like System reboot, download and installs applications.
Also Read Can Instagram Be Hacked Or A Hoax?
FormBook malware distributed through variety of Email campaigns
- PDFs with download links.
- DOC and XLS files with malicious macros
- Archive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads.
The Malware uses a technique called Lagos Island method which calls ntdll.dll(Windows native API) module from disk into memory and calls its exported functions directly. It also capable of Changing file path, extensions, registry key and much more.
FormBook Injection Process
It finds Explorer.exe by using Checksum and injects in explorer.exe trough API calls, once injected it selects any one of the Windows processes and launch it.
svchost.exe, msiexec.exe, wuauclt.exe, lsass.exe, wlanext.exe, msg.exe, lsm.exe, dwm.exe, help.exe, chkdsk.exe, cmmon32.exe, nbtstat.exe, spoolsv.exe, rdpclip.exe, control.exe, taskhost.exe, rundll32.exe, systray.exe, audiodg.exe, wininit.exe, services.exe, autochk.exe, autoconv.exe, autofmt.exe, cmstp.exe, colorcpl.exe, cscript.exe, explorer.exe, WWAHost.exe, ipconfig.exe, msdt.exe, mstsc.exe, NAPSTAT.EXE, netsh.exe, NETSTAT.EXE, raserver.exe, wscript.exe, wuapp.exe, cmd.exe
It has certain browser and clipboard monitoring hooks and if they find strings with following contents they will extract it.
- pass
- token
- login
- sign in
- account
- persistent
According to FireEye analytics with URL shortener tny.im-shortened links there were around 716 hits across 36 Countries.
Common Defence’s to stay safe
- Don’t open the attachments that you are not expecting.
- Patch or Update your software.
- Use a reputable security suite.
