Introduction

Cyber criminals are always looking for new ways to infiltrate companies, new techniques, or maybe only creative arrangement of known tricks to achieve their objective. In some of our previous blog posts, we documented how cyber criminals are investing their efforts on creating more and sophisticated code protectors to hide malicious software, and in many cases we observed the industrialization of code-packers and protection solution services. 

Aside from the increasing protection efforts, we saw the increase of the abuses of trusted digital platforms. We recently found an example of this trend during our cyber defense operations, where we intercepted a suspect binary that landed in the network perimeter from a wide known platform. 

In this report, we decided to dissect that infection chain, focusing on the packer behaviour, it’s detection evasion techniques and the creative arrangement of tricks to hide a dangerous e-crime tool.

Technical Analysis

The infection chain starts with a malicious drop url coming from the CDN (Content Delivery Network) belonging to the legit Discord app infrastructure. This starting point let us immediately highlight the trend of the last years, in fact many cyber criminals leveraged storage functionalities belonging to legal services to upload malicious software. In the past, we saw other malware delivered by Google Drive documents, but this time the abused company is Discord. 

Anyway, the dropped file is a malicious binary file emulating a PDF icon (T1036).

Table 1. Sample information

It was quite easy to reach out that the malicious executable has been packed (T1027.002) through the open-source utility to create Windows Installers or Self Executable codes NSIS (Nullsoft Scriptable Install System).

Figure 1: Static signature of the malicious file 

The NSIS script immediately reveals the malicious behaviour of the packed file. 

Figure 2: The NSIS installer script

It extracts two files inside the %TEMP% path, “o15bmldpqdxcin.dll” and “emvmcmzr.n”. The first one actually is a malicious dll presenting an unique exported function, “Gxkeoxkzs”, that we deepen in the following sections; instead the second file is an encrypted file which will be decrypted through a custom routine emerged during the study.

The Decoder Stub

The extracted dll is a built-up to be a decoder for the malicious payload encrypted inside the “emvmcmzr.n” file.

Table 1. Sample information

By statically analyzing the sample, two interesting details emerge: the first is that the dll exports and unique function named “Gxkeoxkzs”; the second is that the “.data” section has got unusual attributes, such as “writable”, “executable” and “self-modifying”:

Figure 3: PE sections of the sampes 

The code of the exported function reveals the motivation of this particular section. In fact, it has the only purpose to decode the obfuscated code hidden inside that section through a custom algorithm leveraging the basic mathematical operators (xor, shift, module, etc.)  

Figure 4: code deobfuscation algorithm 

After the decoding algorithm, the control passes to the just decrypted area, through the classic “call eax” primitive assembly instruction:

Figure 4: jump to the deobfuscated code 

The .data section is an effective shellcode used to decode and deploy the last malware stage. As first instructions, it loads a series of hexadecimal values representing the hash of the sensitive API calls to link inside the environment:

Figure 5: obfuscated API references

During the decoding of the API calls, we encountered also those related to the classic evasion technique, performed by checking the active processes. 

Figure 6: Running process evasion technique

After dynamically mapping the API calls needed to validate the active processes, the malware reads the content of the encrypted file and allocated an apposite memory area for that. 

Figure 7: Encrypted file loading 

The next phase of the infection chain is obvious: decrypt the malicious payload.

Figure 8: encryption key 

The shellcode adopts a custom algorithm, similar to for the previous description of the shellcode. However, after the routine, the magic MZ header appears:

Figure 9: Decrypted executable 

The decrypted executable contains a Formbook payload that is able to execute on the victim machine after this routine. The last phase is to spawn another child process, where the malicious code has to be injected. At this point, the Formbook payload is executed, enabling the threat actor to gather and steal information and data from the victim machine. 

Conclusion

Down to this tricky code packing mechanism, the actor behind the cyber attack leveraged a well-known Formbook (TH-110) info-stealer malware family sold as commodity malware on hacking forums since 2016, very long time ago. But, we need to avoid security pitfalls like thinking this malware family is less dangerous because it operates for such a long time. 

Instead, the long lasting diffusion of Formbook malware need to remember us that the actors behind these cyber attacks are capable to reuse their tool kits, inventing new ways and tricks to stay under the radar of many traditional security controls. Dealing with new tricks and loopholes used and abused by cyber criminals requires additional capabilities and technologies to detect, interpret, analyze and dissect malicious artifacts in order to avoid the damages of silent spyware and info-stealer can pose to the competitiveness of the business. 

Advanced managed security operations such as Yoroi’s Cyber Security Defence Center services leveraging Malware Analysis and Threat Intelligence are key pieces of a cyber strategies strategy able to reduce and control this risk. 

Indicators of Compromise

• Dropurl:
  • https://cdn.discordapp[.com/attachments/809432002913763381/811199162669334558/Mattechpdf.iso
• C2 (Formbook):
  • http://www.pwzcl[.com/a0ce/
• Hash:
  • 90c968905405e89ebb8aece8656238dae5aabd40acf795587d3c918b2d8df284
  • defe035237269762cfb83849b7906dad23f4085e5e42b4cd9f1ba6114192d539
  • 6190a8f82b142ed30c0abee73fc6f2a960185295b4a2bd5b78a3ef319225a402
  • cf0911773f848ae94f448984266ebb2b77bf0c32439d3062ffc136c893e07bb9
  • e89eb8157e2caf74c4d36f1bef8492643c9071f115bafbfc17c050d54a5e172a

Yara Rules

rule Formbook_NSIS_Packer {
meta:
      description = "Yara rule Forbook NSIS Packer"
      hash = "90c968905405e89ebb8aece8656238dae5aabd40acf795587d3c918b2d8df284"
      author = "Yoroi Malware ZLab"
      last_updated = "2021-02-23"
      tlp = "white"
      category = "informational"
    
strings:
	$a1 = { E6 50 47 D2 BD 73 77 D2 E3 50 47 D2 }
	$a2 = { 3B FD C7 44 24 10 04 A1 40 00 72 65 }
	
	
	$a3 = "nsis.sf"
	$s1 = "54GB"
condition:
	uint16(0) == 0x5A4D and all of ($a*) and #s1>2 
}


rule Formbook_DLL_Loader {
meta:
      description = "Yara rule Forbook DLL Loader"
      hash = "cf0911773f848ae94f448984266ebb2b77bf0c32439d3062ffc136c893e07bb9"
      author = "Yoroi Malware ZLab"
      last_updated = "2021-02-23"
      tlp = "white"
      category = "informational"
    
strings:
	$a1 = { B1 DE 32 C3 02 C3 F6 D8 32 C3 2A C8 80 F1 93 2A CB 80 F1 ?? 2A CB F6 D1 80 E9 ??  88 8B }
condition:
	uint16(0) == 0x5A4D and all of them 
}

This blog post was authored by Luigi Martire and Luca Mella of Yoroi Malware ZLAB.