ASEC (AhnLab Security Emergency response Center) analysis team has recently confirmed that FormBook is using new tactics to persuade users into downloading and executing malicious email attachments.
According to ASEC’s weekly malware analysis report, FormBook was one of the most actively distributed malware in East Asia during July. FormBook is an info stealer malware that disguises itself as normal email attachments, such as estimates, order receipts, package deliveries, and invoice documents.
The email message is short and simple. The email leaves out essential information to trigger the user’s curiosity and convince him/her to open the attached file.
FormBook’s technique of being distributed via phishing emails using various themes has not changed. However, FormBook has evolved its attacks by stealing incoming mails that the user would typically receive on a daily basis to avoid any suspicion.
FormBook operators would first snatch the incoming email and replace the normal file attachment with a malicious one. The replaced email attachment is an IMG image file that contains Guloader. Guloader downloads an additional image from hxxp://otumbaonline.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_DhzkcYxrT145.bin and executes the file within the memory after encrypting it. This allows the image file to be injected into the normal process, and FormBook malware is finally downloaded by connecting to hxxp://www.doneym.com/izz/.
Once the forged email is sent, the rest is up to the user. Thereby users must always remain alert and be cautious before opening email attachments, maintain anti-malware programs up to date, and double-check with the mail recipient if necessary.
AhnLab’s anti-malware product V3 detects FormBook malware using the aliases below. V3 uses file detection to detect FormBook malware and memory detection to prevent it from executing and performing malicious activities.
[Process Memory Detection]