FormBook uses advanced evasion techniques, such as process hollowing and the Heaven’s Gate method, to execute and persistently control victim machines while stealing sensitive information. It communicates with encrypted C2 servers to receive commands for executing files, updating itself, stealing credentials, and controlling the infected systems. #FormBook #HeavensGate #ImagingDevices.exe #PATHPING.EXE
Keypoints
- FormBook payload runs as a 32-bit executable inside “ImagingDevices.exe,” employing process hollowing to inject into randomly selected child processes like “PATHPING.EXE”.
- It uses complex anti-analysis measures including duplicated ntdll.dll, API obfuscation, encrypted key functions, anti-sandbox, anti-debugging, and repeated use of the Heaven’s Gate technique.
- FormBook collects extensive sensitive data: system info, saved credentials, cookies, autofill data, clipboard content, and more from various software including browsers and email clients.
- The malware communicates with a dynamically decrypted list of 64 encrypted C2 server domains, using a socket process for encrypted HTTP GET and POST communications.
- It supports nine control commands enabling execution of downloaded files, self-updates, data cleaning, system rebooting/powering off, and self-removal from the infected system.
- FormBook establishes shared memory between injected processes for sensitive data exchange and command signaling, maintaining persistence and control.
- Fortinet products offer protections against this campaign through multiple security services including AntiSPAM, Web Filtering, IPS, and AntiVirus.
MITRE Techniques
- [T1055] Process Injection – FormBook performs process hollowing on child processes like PATHPING.EXE to inject and execute its payload (“…process hollowing on the process, injects the FormBook payload into the process…”).
- [T1106] Execution through API – The malware dynamically resolves and calls Windows API functions using encrypted hash codes and decrypts them before invocation (“…API obfuscation…decrypted only before calling…”).
- [T1057] Process Discovery – Enumerates active processes and parent-child relationships to randomly select target processes for injection (“…calls the NtQuerySystemInformation() API with the SystemProcessInformation parameters to enumerate all active processes…”).
- [T1218] Signed Binary Proxy Execution – Uses legitimate Windows binaries like ImagingDevices.exe and PATHPING.EXE for malicious code execution (“…runs inside the 32-bit target process “ImagingDevices.exe”…creates a suspended PATHPING.EXE process and injects FormBook…”).
- [T1140] Deobfuscate/Decode Files or Information – Uses multi-layer encryption and Base64 encoding to obfuscate C2 domains and commands (“…Each domain is encrypted, encoded using Base64, and then encrypted again…”).
- [T1086] PowerShell – Executes PowerShell scripts delivered via control commands (‘4’ command with “RMTU” sub-command) (“…downloads and runs a PowerShell file…”).
- [T1059] Command and Scripting Interpreter – Executes received files such as DLLs, EXEs, and scripts per control commands (“…executes executable files delivered within packets…”).
- [T1143] Hidden Window – Uses window message posting (PostThreadMessageW) to trigger payload execution inside socket process instead of resuming thread (“… sends a Windows message to activate the payload…”).
Indicators of Compromise
- [C2 Domains] Encrypted and temporarily decrypted at runtime – Examples: www.manicure-nano.sbs, www.grcgrg.net, www.arwintarim.xyz, and 61 others.
- [File Names] Suspicious temporary executables created during attacks – Examples: %temp%yzbtfb3.exe, suspended processes PATHPING.EXE and notepad.exe used for payload execution.
- [Registry Keys] Data collection targets – Examples: “HKCUSOFTWAREMicrosoftInternet ExplorerIntelliFormsStorage2” for autofill data, multiple Outlook profile registry keys.
- [File Paths] Chrome SQLite database files accessed for credential harvesting – Examples: %LocalData%GoogleChromeUser DataLogin DataDefaultLogin Data, Cookies, Web Data.