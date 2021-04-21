Log in
Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II

04/21/2021 | 11:08pm EDT
FortiGuard Labs Threat Research Report

Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collect Sensitive Information from Victim's Devices
Severity level: Critical

This is part II of a threat analysis series examining a phishing campaign that FortiGuard Labs captured in our SPAM monitoring system. The sample we captured was attempting to deliver 'FormBook' malware through a PowePoint document attached to an email. FormBook is a malware designed to steal sensitive information from a victim's device as well as to receive control commands to perform additional malicious tasks on that device.

In the Part I of my analysis, I explained how the VBA code in the PowerPoint file was used to download a PowerShell file, how it extracts a .Net framework file, and how the FormBook payload file is processed through three .Net modules.

In this second part, we will examine what anti-analysis techniques FormBook performs, what Windows processes it focuses on, and how the FormBook malware running inside AddInProcess32.exe injects itself into a randomly-picked Window process. Furthermore, we will see how FormBook injects itself into a number of target processes through the Windows process.

Payload File Runs in 'AddInProcess32.exe'

As mentioned in part I of this analysis, a FormBook payload is injected into a newly-created process, 'AddInProcess32.exe', and the relevant registers are set to point to the entry of the injected FormBook. After that, the entry point is called after executing the API ResumeThread() by the AMe8 module-which is the point that I will start from in this post.

The payload file of the FormBook malware is a 32Bit Native Code PE file (an EXE file), not a .Net module. Figure 1.1 is a screenshot of the entry point function of FormBook.

