FormBook Downloader - Malware Analysis Lab

18 minute read

Technical Analysis of a FormBook Downloader

Overview (AI generated from video):

Summary

A compromised WordPress site was used to host a malicious link file that serves malware. The link file uses PowerShell which then acts as a download cradle to download and run the malware.

Key Highlights

๐Ÿ” Link files can be used for malicious purposes, such as running hidden malware or acting as a download cradle.
๐Ÿ› ๏ธ Tools like Link Parser and Eric Zimmermanโ€™s LECmd can help analyze link files and provide additional information.
๐Ÿ“ The metadata in a link file can reveal details about the user account that created it and potentially track similar malicious link files.
๐ŸŒ The compromised WordPress site was used to host the malware and download the payload from a remote server.

Key Insights

๐Ÿ”„ Link files are often used as a gateway to launch hidden malware or download additional malicious files. Analyzing their properties and metadata can provide valuable insights into the infection chain.
๐Ÿ“‚ The use of PowerShell, MSIexec, and other legitimate executables in conjunction with link files shows the sophistication of the malware authors in evading detection and launching their payloads.
๐Ÿ›ก๏ธ The presence of typos, like โ€œMis execโ€ instead of โ€œMSIexec,โ€ can break the execution chain and prevent certain files from launching, highlighting the importance of thorough testing and quality control for malware authors.

Transcript (AI generated from video):

00:00:00	let's take a look at some new malware uploaded to malware Bazaar so this has been uploaded by abuse CH themselves the creators of malware Bazaar now this actually has a file name of offer document 25. lnk now an lnk file in the context of Windows is a link file or a shortcut file now how can a link file or a shortcut file be malicious link files in the context of malware are often being used either to run hidden malware on something like a USB stick or they're being used to run legitimate executables
00:00:34	on your system that then go and act as something known as a download cradle so they're going to go off and fetch a script or an executable and launch it from a remote server tools that can do this are stuff like Powershell or MSI exec or even chaining some legitimate executables like search util to download the file and then using start from a command prompt to launch the malicious executable so how can we analyze this link file there's a couple of tools that we can use I've gone ahead and downloaded the file but we can't look at
00:01:09	it in a normal fashion like we would with some of our other samples and I'll show you what I mean by that if I rightclick it and I try to use something like detected easy you'll immediately see it's actually analyzed what the link file is pointing to so you can see that it says the file name is Powershell and if we were to open this up in a heximal editor we can see okay it's showing as MZ header so a PE file but this is for Powershell that's sitting on our system not the link file now with any link file
00:01:39	on Windows you can right click it and go to properties and get a bit of an idea on what it's pointing at I'm not sure why this had the comment 919 022 but that might be something of interest to keep in mind now when we talk about the target here we can see that it is pointing to Powershell but it's actually only using Powershell to then run a different executable that's on your system so you'll notice that it's using the environment variable and it's specifying some wild cards now this WS2 MH may not seem like it means much but
00:02:11	what actually happens is that if you specify wild cards they will actually basically expand and get all of the matches for it so there's only one match that matches this kind of Rex which is C windows system32 mshta.exe so this is the executable used for launching HTA files now we can see that this actually goes out and fetches something from this domain which will look at in just a sec but first let's see if there's anything interesting sitting in this link file because there's a number of tools that we can
00:02:44	use to pause the actual format of this link file that give us a bit more information there is the link paa which we can find on Google archive this was actually created back in 2012 though so this is a little bit older and then there is more industry standard Le CMD tool that is created by the one and only Eric Zimmerman now Eric Zimmerman is a fantastic digital forensics and incident response professional and has created a number of widely available tools that are used within digital forensics and
00:03:14	incident response first off I've got the older link paa tool and what I'm going to do is just use it against the link file and see what outcomes we get and you can see that it's pulled out a bit more information than what we actually had just kind of eyeballing the file in particular there is actually this met data property store that has mention of a value now in that value there is a user identifier so this is actually the security identifier of the user account that created this malicious link file
00:03:45	this is going to be unique given it has a unique identifier per the domain that it's created on if we look at security identifiers on the Windows documentation they basically have a format of having a revision level so most the time almost always it's going to be S1 and then you're also going to have an identifier Authority so once again almost all of the time we're going to have S15 and then we're going to have an identifier that specifies the domain so that goes all the way down to the end and then it
00:04:17	has a relative identifier now the relative identifier here of 500 is the local administrator account so that tells us that the user has used the local administrator account on their system the the identifier for this domain could be used to track maybe similar malicious link files that have been created and used there are other elements that are common in malicious link files but it looks like they've been stripped or they're just not present in this link file so for example the net bios would be one of those so
00:04:50	let's take a look at another tool let's use lcmd what we're going to have to do is specify a file and then we're going to specify the link file and if we run that we can see that the same information has been pulled out but it's presented in a little bit of a nicer way so we can see now once again in the header field says that the target created modified and access is null so this is where the unknown was seen in the other file it does rip out the source created modified and accessed as well so this actually gives us some time
00:05:20	stamps as opposed to No Time stamps that being said generally there will be net bios for a system name that this was created on but in this case it's not present now to prove I'm not making this stuff up I'm going to go ahead and create a link file on this system and show you what that output might look like so in the same folder I'm just going to write click new and create a shortcut and we're going to name this cmd.exe cuz this is what we want to run when it's run so we want to name it cmd.exe and it's pointing at cmd.exe now
00:05:48	in our terminal if we run the same but we specify it to be on cmd.exe you can see it's ripped out a lot more information of particular note there is my user identifier in this VM so this this actually is a different number to what we saw before we can actually see a bit more information as well basically the Mac vendor and the MAC address tied to this particular system the machine ID so this is the net bios name of the system that I'm currently on which is Sparky and it's given us a bunch more information that can be used for pretty
00:06:22	much anything from tracking to attribution purposes we can also see a serial number which could be of interest as well and this is tied to the actual hard drive in my virtual machine now something to keep in mind is that the Mac vendor may give you a bit of an indication on how this link file was created as well if it is present that is because this PCS system technique is tied to Virtual box which is what I'm running this VM in so now we know that this is going out and pulling a payload from a URL which in this case is going
00:06:58	to be this yd. us so if we scan the base URL of that website it does look like this is a website tied to a usbekistan entity I do not know the language but if we translate it it seems to translate to andyan Institute of economy and construction now unfortunately this website is based on WordPress and it may have a vulnerable Plug-In or a vulnerable instance of Wordpress so it does look like unfortunately this website has been compromised to poost the next stage of our malware now if we scan that room 5. HDA file on This
00:07:35	Server we can actually see that it has a VB script that is within a HDA file that's going to be executed so let's dive into that a bit further all we have to do is hit HTTP and hit show response and we actually get the entirety of that payload for our second stage so let's download this and do some more analysis so I've gone ahead and downloaded the HDA file let's take a look at what it's doing it may seem a bit daunting at first but it's actually quite trivial for us to reverse this this is actually
00:08:05	an array of characters so you can see that this is defined as an array but the characters don't quite translate to particular values now the reason is because if we actually look up we can see what's happening there is this being defined this uqe as 39341 we also see that there is defining the characters from these values so the Char value vales associated with these numbers but it's not using these full values it's actually using this so this is for each one in the actual array itself for each value in fcss and fcss
00:08:43	is the actual array it's saying for each of those values it's going to subtract this number this 39341 and that's actually how it's formulating the string for the next part of our payload we can go down and we can also see some other array that's being used here as well so both of these we can actually take and translate into something a little bit more legible so let's go ahead and take a look at the big array because this is likely going to be what is running for our next stage so I'm going to copy the entirety of
00:09:14	this array go over to cyf and put it in now what we actually have to do is have that subtract occur on every single one of these numbers now pumping these into a calculator is going to take forever that's not the way you're supposed to do it dad they want us to do it I don't know that way why would they change math math is math math is math so we are going to actually use a little bit of hackery using cyberchef to be able to do this the first thing that we want to do is actually place these values in registers now we want to
00:09:47	create a fork operation so that all of the actions that we take is going to occur on each individual one of these values so let's run Fork we are going to split this so this is what is going to Define the split we're going to split it based on a comma and now we can see that they are all on separate lines now we're going to have to use the register function because what we want to do you'll see this actually Cycles through all of the values and what we want to do is do a bit of hackery here so we can
00:10:14	see that there is a subtract function in cyers shf but we actually have to specify the delimiter that this is going to be used against now if we try to do it Based On A Line Feed we need the value that's going to be subtracted on a new line so we can use something else so in this case let's just say a comma and what we're going to do is we're going to do a find and replace so if we put this above the subtract let's just disable that for a second so we don't cause any issues what we're going to do is we're
00:10:40	going to replace what's in each register and to prove that it's not only one value in that register but the value of each individual line we can go dollar sign r0 so that's how we access the register and we want to replace that with dollar sign r0 and if we bake this let's get rid of global match here we will actually see that the output is the exact same regardless of whether we have that on or not because we're not doing any changes yet what we have is a hardcoded number that we want to change
00:11:07	for every single one of these values so let's create a comma and the value is this 39341 so let's put that now in as well and now you can see every single line actually has a comma and the 39341 the value that we're going to have subtracted from the larger value so let's actually turn on subtract now remember that the fork operation is going to do this on everyone and now we can actually see numbers that are Char values that can be translated back into the original words that are going to make sense to us so to do this what
00:11:35	we're going to now have to do is do a from decimal because we can see that decimal is going to convert them back into its original form so we can use from decimal and we can actually see now that it actually does it for every individual line because we haven't merged it back but we can actually begin to see a string that forms so let's make this a little bit more legible we're going to have to do a merge so let's merge them all back in we are going to have to do a replace and what we're going to do is we
00:12:03	are going to find a new line and replace it with nothing actually let's replace the new line with a space now we can actually see that what we're doing is going from decimal and Bas as the delimiter so now we actually get the next stage of our payload that we want to analyze so let's take this and save it as the next stage I've also just gone ahead and taken that smaller array so that smaller array that we can see here that formulates wscript which just indicates that W script is going to be used to run this next stage so now
00:12:34	looking at that downloaded stage 3 bin it looks like there's a little bit of noise here so one of the things that I'm going to do is actually do a find and replace so we can do that using the extended search mode in notepad++ and replace everything and now it looks a little bit more legible so we can see the aim is to use Powershell in order to write a file to disk we can also see a function that seems to be checking if something ends with something we don't know what it is yet and if it does it's
00:13:03	going to use run dll 32. exe to run it now a good assumption here is that this might actually be the extension. dll so that if a dll file is being pulled down it's going to use run dll 32 to launch it because it can't launch by itself we can also see another one which might just be if it's an executable it's going to use Powershell in order to run the file and then there's another one and this one's a little bit more interesting because I'm guessing this is going to be an MSI file but the difference here is
00:13:33	that the malware author or whoever has created this has actually put in a typo we can see it is Mis exec the problem is this is actually MSI exec on a Windows operating system if they push down an MSI file it actually wouldn't launch and would break at this point of the chain so typos are pretty important we can actually also see evidence of it downloading a file so there is this net class that's being used to specify a TLS connection should occur so this is obviously connecting to a remote server
00:14:06	using TLS and it's downloading data now the data that it's downloading we actually have to backtrack a bit to actually see what's going on it's going to be using a new object of some sort of maybe net object that's being used to download the actual file so maybe the download class we actually have to understand what's happening with this function here because it does look like this is what's being use to transpose those numbers into something that's a bit more relevant we can see that that function has an input that it takes so
00:14:37	we give it an input of those numbers which is an array and then it's defining a variable which is 77153 we can also see that that is now later used for each of those values that are passed in each of these in that what it's going to do is it's going to subtract one from the other we once again just have a simple substitution or subtraction that is occurring here here that we can actually use to get that next stage so what I'm going to do is actually take a look at these and use the same operation that we had in
00:15:06	cyberchef the difference being that we're going to use 77153 so I've changed it to 77153 and now if I start with the first array we can actually see that it does come out to DL we can take this second array and we could probably do this for all of these so this actually isn't an executable that's going to be launched with powershell.exe this is actually running a Powershell script that makes sense I probably should have assumed that and then we also have MSI once again Mis exec is not going to launch an
00:15:38	MSI file and we can see net. webclient so this is just specifying that it's going to be using that particular net class in order to download that file now the main thing that we see here is that there is an environment variable that's being expanded so this environment variable of app data expands to user app data roaming so something is going to be deployed in the roaming directory with the name rumor. exe what we're going to do is actually take this to see where that next stage is being pulled down
00:16:09	from and we have the same function right and we can see it's hosted on the same compromised WordPress website so if I go back and look at that WordPress website we can actually see that it is still hosting this rumor. exe now what is this rumor. exe cuz this is ultimately the payload that's going to be deployed on the endpoint if we look it up on virus total oh lights up like a Christmas tree except without the green basically this has an overwhelming number of detections for form book Mal web so now we have a
00:16:37	good idea that someone has compromised this usbekistan website to upload a malicious HTA file that is going to be launching the form book malware so now we actually know what that malicious link file is doing I won't go too much into the actual formbook malware because I might save that for another video where we can deep dive into that so thanks so much for watching that's all I want show today let me know your thoughts feelings comments anything else in the comment section below and I will catch you next time