On March 4, ASEC analysis team confirmed the distribution of an info-stealing (keyboard input leaker) malware disguised as a quotation. The address downloads the secondary malware uses Google drive (https://drive.google.com) which many people use, and this method is used to disguise the behavior as a non-threat behavior. It was discovered that this malware is the same type as the malware below, which took the form of an AutoCAD file (DWG) to disguise.
As shown in Figure 1 and 2 below, the email contained an image (img) file, and a malicious executable was hidden in the image file.
When the malicious file is run, it copies itself as shown below, and creates a VBS file that runs the copied file. Also, it registers the created VBS file to RUN key so that it runs automatically when the Windows starts.
| Copied file | C:\users\vmuser\Templum\Ornarypo.exe |
| Created VBS file | C:\Users\vmuser\Templum\Ornarypo.vbs File content: run copied file Set W = CreateObject(“WScript.Shell”) Set C = W.Exec (“C:\Users\vmuser\Templum\Ornarypo.exe”) |
| Register VBS file to RUN key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Chika “C:\Users\vmuser\Templum\Ornarypo.vbs” |
Once run, the malicious file downloads the encoded malicious data, decodes it in the memory, and additionally runs it.
The decoded data is an info-stealing malware, also known as Formbook. It is injected into currently running process and steals user info. ‘Keyboard input (keylogging)’ and ‘clipboard’ are the info that gets stolen.
AhnLab’s V3 products detect the malware under the following aliases:
- Malware/Win32.Generic.C4004690 (2020.03.04.03)
Categories:Malware Information