Quick Heal Security Lab has seen a sudden increase in dotnet samples which are using steganography. Initially, in the static analysis, not much information is available. It resembles some simple application going by the method name. On the dynamic side, some show the activity but another check for sandboxing environment. Apart from this, even on execution, it loads multiple memory stages that contain numerous long periods of sleep. One such file received in our lab was of Formbook malware. Formbook stealer has been sold on hacking forms since 2016 as-a-service.
In this blog, we will go through those multiple stages and analysis of the final payload. The final payload is also complicated due to various threads creation and sleeps in between.
In the resource of sso.exe, there is an image that indicates the use of Steganography. However, this resource is not used at this level. There is one more resource present which initially is difficult to find. While going through the code of decryption, this 2nd resource was identified as stage 1.
At the entry point, there is a single line code to execute the form.
If we go to the Form1 code, there isn’t much information present. But when we check the Form1 class, we can see in its constructor a call to method ISectionEntry.
ISectionEntry contains the code to get Pixels(Fig 5), convert to integer and save it in an array(Fig 6) and then call to MessageSurrogateFilter(array) with the buffer passed as a parameter.
MessageSurrogateFilter() method then loads the decrypted assembly (SimpleUI.dll) into the memory and invokes its SeclectorX() method with some arguments, which will be explained later in Stage 1.
fgh() method’s decryption routine is a simple XOR with 2 values in which the “bytes” array contains a Unicode version of the Key (mentioned as ValueEnumerator above).
After decryption, the assembly is again loaded in Memory.
It becomes difficult to analyze with these unicoded function name.
In this stage 2 assembly, a method named Fedree() is called, whose constructor contains the code to decrypt and inject the final payload.
In the decryption routine first, the name of the resource is decrypted to s2pCN (resource in stage 2), Loads the resource and passes it to the XOR_DEC along with a KEY. Decrypted buffer is then passed to Unscramble function where it brings another dotnet file.
XOR_DEC contain simple xor with obfuscated code.
Unscramble function forms the final payload.
After decryption, it does process hollowing by creating sso.exe’s process in suspended mode.
The injected file is the final Payload of Formbook, which has around 1500 methods with random names.
This contains 2 different Base64 encoded strings.
2nd base64 string contains 5 modules which are later loaded in memory and executed.
The strings are converted from base64, then reversed and replaced by specified characters and again base64 decoded.
The resultant data for 1st decoded string is CnC servers, mutex name and some configurations.
It also creates a bat file to check for network connection and again start the process and delete the bat file.
After decrypting the data it checks for the mutex if already present it exits. In configuration the value of “AUR” tag is true, it takes 2 running process’s names, from 1 it takes the name of the process, from the other it takes any folder name from the parent directory and copies itself to this location with first’s process name. Along with this, it keeps a file with a name as a hash of process name and some randomly generated garbage data.
It also schedules tasks for these copied files.
Next, it loads different modules which it has decoded initially and loads them into memory and invokes different methods.
Then it tries to steal browser information like cookies, passwords, forms, history, autofill, credit card information also takes screenshots, clipboard data, discord tokens, FileZilla, telegram data, discord tokens, steam data.
There was also a module that will compile the code for DCRat at runtime on receiving commands from CnC.
Other different modules present are:
It has kept all strings in encrypted form under a list of various techniques.
Contains various techniques to identify if it’s running under VM or Sandboxing environment if there are any monitoring processes running. Also, a way to identify VM/Sandboxing is by checking physical Memory.
Contains code to spread to USB drives by creating an autorun.
Contains code to collect a List of installed software’s, running processes, time zone information, active TCP connections, local network connections available, list of connected USB drives.
Collects all the files
At this point, this module is not in a complete state. This shows that it is still under development.
This seems to be malware that is still being developed. We haven’t received Initial Vector yet, but it appears to be downloaded by a malicious doc/Xls file, which is spread through emails. Users should avoid opening emails, documents sent by unknown senders and keep the AV updated. We detect all the modules and stages with Trojan.Formbook and Trojan.YakbeexMSIL.ZZ4
MITRE ATT&CK TTPs:
|Virtualization/Sandbox Evasion: System Checks||T1497.001|
|Process Injection: Process Hollowing||T1055.012|
|Credentials from Password Stores||T1555|
|Data from Configuration Repository||T1602|