FormBook Uses a Shady File Hosting Service for Its Latest Password-Stealing Campaign
How would you feel about a file-sharing platform that states in its FAQ something along the lines of 'Using our service for anything illegal is forbidden, but if you do decide to do it, we won't try to stop you'? Well, if you're a hacker trying to launch a new FormBook campaign, you'd say to yourself 'This is exactly what I'm looking for'.
FormBook is a powerful strain of information-stealing malware that has been around for close to three years. It's actively traded on the underground markets, and hackers love it because it has a number of characteristics that make it perfect for what they're trying to do. On the one hand, it efficiently exfiltrates all sorts of sensitive information, and on the other, it's rather good at evading detection.
Table of Contents
FormBook activity picks up
After a relatively quiet period, FormBook reappeared on the horizon a couple of weeks ago. As usual, the trojan is distributed with the help of spam messages. Researchers from Deep Instinct took a closer look at the campaign and published a comprehensive write-up which tells us how it all works.
The infection starts with a malicious Rich Text Format (RTF) document which, when opened, exploits a couple of vulnerabilities in Microsoft Office's ActiveX and Equation Editor tools. The file connects to a bit.ly shortened URL which leads to a file hosted on dropmybin[.]me (more on this in a minute). After execution, the payload copies itself to the %UserProfile% and %AppData% folders, and it modifies the registry in order to achieve persistence.
The information stealing operation can begin. FormBook scrapes passwords from browsers, email, and FTP clients. It has screen grabbing functionality that periodically takes screenshots of whatever the user is doing, and it also logs keystrokes. All that data is silently uploaded to the trojan's Command & Control server (C&C).
A large campaign aided by a new malware hosting service
The wave of spam has been relatively strong over the last few weeks, and it will likely continue to be, not least because the crooks appear to be using a file-sharing service that is helping along. As we mentioned already, the payloads are downloaded from URLs hosted on dropmybin[.]me – the same platform that forbids illegal activities while also saying that it will do nothing about it.
The file hosting website is accessible via another domain – dropmyb[.]in – and it seems to be relatively new. In fact, Deep Instinct said that the service was launched around January 19, just as the latest FormBook campaign was starting. The platform is hidden behind CloudFlare meaning that there's no way of knowing where its servers actually are. For what it's worth, the aforementioned FAQ section does suggest that the people running it are from Russia.
Although it's new, dropmyb[.]in has already received some favorable reviews on hacking forums. Crooks seem to like it, and they have started using it for other malware families as well.
How to protect yourself
The current campaign seems to be aimed mostly at businesses and organizations in the retail and hospitality industry, so it's fair to say that the danger for individual users isn't that huge. That being said, opening files attached to emails you weren't expecting is as bad an idea as ever.
As for the system administrators among you, experts say that a zero-trust policy against dropmyb[.]in and dropmybin[.]me might not be such a bad idea, at least for now.
