Threat Research

Formbook from Possible ModiLoader (DBatLoader)

Securonix

An ISC diary analyzes a Formbook infection chain that begins with an Excel file exploiting CVE-2017-11882 to deploy ModiLoader/DBatLoader and Formbook. It details a loader that fetches a base64 payload over HTTPS, decodes it into a DLL, and establishes persistence, DNS and HTTP-based C2 activity, plus VirusTotal detections and typical ModiLoader/Formbook artefacts. #ModiLoader #DBatLoader #Formbook #CVE2017_11882 #qu.ax #MsBuild #DNS

Keypoints

  • The Initial Lure: an Excel file crafted to exploit CVE-2017-11882 to trigger code execution. “The initial lure was a file created with Excel to exploit an old vulnerability for CVE-2017-11882.”
  • Loader retrieves base64 payload: the loader EXE fetches base64 text over HTTPS from qu[.]ax, which represents the malicious payload. “the loader-style EXE retrieved base64 text over HTTPS from qu[.]ax as shown below.” and “The base64 text represents a malicious DLL file in reverse byte order.”
  • Payload decoding leads to a DLL: decoding the base64 text in CyberChef reveals a Windows DLL (or mixed EXE/DLL) used by Formbook. “Decoding the base64 text file in CyberChef to reveals a malicious EXE or DLL.”
  • Persistence and legitimate binary usage: the infection persists via Windows registry Run keys and a copy of MSBuild.exe is used/persisted similarly, indicating ModiLoader/Formbook behavior. “The loader EXE was made persistent through the Windows registry.” and “a copy of MSBuild.exe … made persistent … in the same manner I usually see for Formbook.”
  • Indicators of C2 and communications: HTTP GET/POST to /tfgp/ and numerous DNS lookups to multiple domains, indicating C2 activity and domain generation/lookup. “HTTP GET and POST requests: GET /tfgp/ … POST /tfgp/” and multiple DNS queries listed.
  • Context and prevalence: this infection chain aligns with prior ModiLoader/Formbook patterns, and new CVE-2017-11882-exploiting samples appear regularly on VirusTotal. “I’ve done similar, undocumented infection runs with confirmed ModiLoader samples for Formbook…” and “new malware samples exploiting CVE-2017-11882 … submitted to VirusTotal on a daily (or near-daily) basis.”
  • Low risk on patched systems: on up-to-date Windows 10/11 with patched Office, this infection is unlikely to affect users; VirusTotal detections are relatively decent for the payloads. “Since this infection chain relies on a 2017 vulnerability, anyone with a Windows 10 or 11 host running an up-to-date/patched version of Microsoft Office will not be affected.”

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The initial lure used an Excel file to exploit CVE-2017-11882. “The initial lure was a file created with Excel to exploit an old vulnerability for CVE-2017-11882.”
  • [T1105] Ingress Tool Transfer – The loader retrieved base64 text over HTTPS from qu[.]ax to obtain payload. “the loader-style EXE retrieved base64 text over HTTPS from qu[.]ax…”
  • [T1140] Deobfuscate/Decode Files or Information – The base64 text represents a malicious DLL, decoded to obtain the payload. “The base64 text represents a malicious DLL file in reverse byte order” and “Decoding the base64 text file in CyberChef to reveals a Windows DLL.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via Windows registry Run keys. “The loader EXE was made persistent through the Windows registry.”
  • [T1218.005] Signed Binary Proxy Execution: MsBuild – Use of a legitimate msbuild.exe to maintain persistence. “Copy of legitimate Microsoft file msbuild.exe (not inherently malicious) …”
  • [T1071.001] Web Protocols – C2 over HTTP/HTTPS with GET/POST to /tfgp/ endpoints. “HTTP GET and POST requests: GET /tfgp/ … POST /tfgp/”
  • [T1071.004] Application Layer Protocol: DNS – DNS queries to multiple domains; several domains returned no response or no such name. “DNS query for www.valleyofbreath[.]com – no response from DNS server” and others.

Indicators of Compromise

  • [SHA-256 Hashes] – 4f6e9a66f50f443d07676ef43a7f2349fc713c96522058c1c4d425da7be4a4bf, 8566d2bf58fe371e646076c60874a8fbb50de2fbf9b950c457804d316a3de89f (and 3 more hashes)
  • [File name / path] – DC293_payment.xls and C:UsersPubliccleanmgr_rse.exe, plus persistence artifacts like C:Users[username]AppDataRoamingbestm.exe
  • [URL / Domain] – https://qu[.]ax/NNAs.wav and hxxps://qu[.]ax/NNAs.wav (payload delivery URL)
  • [IP Address] – 23.94.144[.]13 (host for payload delivery)
  • [Registry Key] – HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values bestm and YDD0P4187
  • [DNS / Domains] – valleyofbreath[.]com, website-dolap[.]com, cloudzon[.]world, eperq[.]buzz, nolinkoti[.]biz, simplepay[.]kitchen, thecharmingchimp[.]com, etc.

Read more: https://isc.sans.edu/diary/rss/29958

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint