{"id":7611,"date":"2022-03-31T10:16:56","date_gmt":"2022-03-31T17:16:56","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7611"},"modified":"2024-04-26T13:20:06","modified_gmt":"2024-04-26T20:20:06","slug":"cyber-threat-advisory-formbook-deploys-new-evasive-techniques","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/cyber-threat-advisory-formbook-deploys-new-evasive-techniques\/","title":{"rendered":"Cyber Threat Advisory: Formbook deploys new evasive techniques"},"content":{"rendered":"

Author: Ma\u00ebl Le Touz<\/strong><\/h3>\n

 <\/p>\n

1. Executive summary<\/h3>\n

On March 19, Infoblox observed a new spam campaign distributing Formbook infostealer malware through email attachments. Formbook is installed through two different droppers, which are usually associated with Agent Tesla – in fact, much of the delivery involves known tactics and techniques for Agent Tesla, but ultimately the payload in this campaign was Formbook. The droppers use VM detection, steganography, process hollowing, mutexes, and many other evasion techniques, and they rely heavily on XOR encryption.<\/p>\n

2. Analysis<\/h3>\n

2.1 Customer impact<\/h3>\n

At first glance, the characteristics of the campaign match those of campaigns known to distribute Agent Tesla and Formbook. Both are information stealers and capable of identifying and exfiltrating passwords from browsers, email clients, cryptocurrency wallets, and many other software applications. Both are sold as malware-as-a-service on specialized hacking forums, and both allow buyers to customize the malware with their own command and control (C&C) and obfuscation methods.<\/p>\n

2.2 Campaign analysis<\/h3>\n

The spam lure is unsophisticated and has been used by threat actors consistently in recent years. All emails have the same subject line, \u201cRE: Payment Transfer slip\u201d, and a single attached file, Payment slip PDF.zip, which contains a PE32 executable called Payment Slip PDF.exe. Because the malware uses various anti-evasion and anti-detection techniques (described below), most antivirus solutions were unable to correctly identify the threat or to provide actionable intelligence.<\/p>\n

2.3 Analysis of the first file<\/h3>\n

Payment slip PDF.exe is a heavily obfuscated .NET executable that targets Windows systems and is packed with ConfuserEX. The code is hardly readable, and the names of functions and variables in it are replaced with non-latin Unicode characters (the orange text in the screenshot below).<\/p>\n

Figure 1: Obfuscated code from Payment Slip PDF.exe
\n\"\"<\/p>\n

However, some functions are explicit. For example, to determine whether it is running in a sandbox, the program checks whether a remote debugger is present and tries to write to arbitrary memory locations. If the program detects a debugger, it fails silently.
\nThe dropper also tries to prevent debugging. It does this by using flags [DebuggerHidden] and [EditorBrowsable(EditorBrowsableState.never)] to prevent an IDE from displaying code or functions and thus to hamper reverse engineering efforts. Most of the code is never executed but, instead, is taken from an open-source CPU-simulation program written in VB.NET.1<\/sup>
\nHidden in the code is a large string and a bitmap image with high entropy:<\/p>\n

Figure 2: Part of the bitmap image containing the payload binary
\n\"\"<\/p>\n

At runtime, the string is converted to a Base64 array and XOR decoded with another key. This creates a DLL, which is then reflectively loaded by Payment Slip PDF.exe.<\/p>\n

2.4 DLL decryption routine<\/h3>\n

The DLL, named Bunifu.UI, is another .NET executable, and it is obfuscated with the help of ConfuserEX.<\/p>\n

Figure 3: Semi-obfuscated code from the DLL
\n\"\"<\/p>\n

The sole purpose of Bunifu.UI is to decrypt an image by using a key passed as an argument. For each non-transparent pixel in an image, the function extracts the values of red, green, and blue and returns an array. This array is then XOR-decoded by using the parameter supplied when the DLL is invoked:<\/p>\n

Figure 4: Deobfuscated decryption routine
\n\"\"<\/p>\n

This method of obfuscation is consistent with that of Agent Tesla.2<\/sup><\/p>\n

2.5 Decrypted BMP<\/h3>\n

Hijacking the function calls enabled us to identify the decryption key of the bitmap: oRbU. Decrypting the bitmap revealed another file, MajorRevision. MajorRevision is a PE32 executable written in .NET and it, too, is obfuscated using ConfuserEX. MajorRevision contains a lot of unreachable code, which is probably copied from an open-source application that, in another attempt to prevent analysis, queries and runs SQLite databases in C#.
\nMajorRevision is another dropper used in this campaign. It collects information about the endpoint, verifies that the endpoint is running on a real machine, and then writes and executes the malware itself. To achieve this, MajorRevision verifies that the running system contains several strings related to virtualisation, sandboxing, and the name of the user, and that a real hard drive is present.<\/p>\n

Figure 5: An example of checks for malware evasion
\n\"\"<\/p>\n

This behavior is consistent with that of common malware-as-a-service payloads, such as Agent Tesla.
\nIf none of these checks succeeds, the program creates mutexes and copies of itself. To achieve persistence on the system, the program creates scheduled tasks. Although the code contains a mention of HTTP requests, the program does not make them. In fact, after achieving persistence on the target system, it runs several decryption routines to decrypt one of its embedded resources: an encrypted byte array called oj8UsD7H. After examining the code, we were able to extract the XOR key, PbmCIdBuCnEz. Decrypting the embedded byte array produced the final payload.<\/p>\n

2.6 Final payload: Formbook<\/h3>\n

The final payload is not a .NET application but a MASM-compiled PE32 executable composed entirely of a .text section.<\/p>\n

Figure 6: Identification of the payload; note the fake TimeDateStamp
\n\"\"<\/p>\n

Although the rest of the delivery has been used by Agent Tesla payloads in the past, the final payload is Formbook. The executable is heavily obfuscated and contains large arrays of encrypted arrays decrypted only at runtime. The executable uses customer routines to evade debugging, and it runs most of its code on an internal virtual machine. As is typical of Formbook, the sample communicates with dozens of domains established as decoys, but only uses one true C&C.<\/p>\n

3. Prevention and mitigation<\/h3>\n