Distribution of Info Leaking Malware Disguised as Quotation (Using Google Drive)

On March 4, ASEC analysis team confirmed the distribution of an info-stealing (keyboard input leaker) malware disguised as a quotation. The address downloads the secondary malware uses Google drive (https://drive.google.com) which many people use, and this method is used to disguise the behavior as a non-threat behavior. It was discovered that this malware is the same type as the malware below, which took the form of an AutoCAD file (DWG) to disguise.

As shown in Figure 1 and 2 below, the email contained an image (img) file, and a malicious executable was hidden in the image file.

When the malicious file is run, it copies itself as shown below, and creates a VBS file that runs the copied file. Also, it registers the created VBS file to RUN key so that it runs automatically when the Windows starts.

Copied fileC:\users\vmuser\Templum\Ornarypo.exe
Created VBS fileC:\Users\vmuser\Templum\Ornarypo.vbs File content: run copied file Set W = CreateObject(“WScript.Shell”)
Set C = W.Exec (“C:\Users\vmuser\Templum\Ornarypo.exe”)
Register VBS file to RUN keyHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Chika “C:\Users\vmuser\Templum\Ornarypo.vbs”

Once run, the malicious file downloads the encoded malicious data, decodes it in the memory, and additionally runs it.

Download URLhttps://drive.google.com/uc?export=download&id=1fmp0vjx2nzPCdXbnfiwV4rohKjYv6BLE 

The decoded data is an info-stealing malware, also known as Formbook. It is injected into currently running process and steals user info. ‘Keyboard input (keylogging)’ and ‘clipboard’ are the info that gets stolen.

 AhnLab’s V3 products detect the malware under the following aliases:

  • Malware/Win32.Generic.C4004690 (2020.03.04.03)
0 0 vote
Article Rating
Inline Feedbacks
View all comments