Selling Formbook

uh today we want to talk to you about uh a piece of malware called formbook which uh well we we will try to showcase a good example that what we believe is cyber crime and the cyber crime industry and how it works and what it does and how it does what it does okay so first we'll introduce ourselves then because i don't know exactly what background each of you has we want to introduce just a tiny bit how cyber crime is right now at this point in time at this point in time then we will overview the malware sample the distribution of the malware sample the panel how it works the tricks it has that kind of

stuff and afterwards we'll just talk about uh the threat actor behind this uh behind this malware the developer who made the malware and his history with with it okay so let's start i'm victor athin i am livestream lit at bluelive my job mainly entails a threat analyst with a bit of reverse engineering on the side i know i wish as well that this was like the the other way around but it is what it is if you have any doubts about uh and you have any questions that we can answer right now you can just send an email okay hi i'm morgan i'm working in relief for four years and the last two i'm labs team member and i work in i'm

working doing threat analysis and protector tracking and other things okay so let's cut to the chase interesting part that's that's better right hello yeah okay so uh cyber crime is a living entity it adopts the counter measures and it evolves with time what does this mean that means that when we try to look at uh at an event that happened related to cyber crime we also need a context and that context is usually like time and the technology available world events that kind of stuff okay which is what we will try to do right now [Music] what wow okay so what you cannot see here is is the picture representing the current state of cyber crime

right now cyber crime can be seen as a sort of industry in which you have like you have your providers you have people creating services you have channels to exchange information you have channels to sell information and you have clients from organizations well organized groups you have the script kitties you have almost everything in here people that code for money people that just his only job is focused purely on distribution of malware others that the only thing they do is just trying to gather information as well and sell it related to distribution campaigns and then you have researchers meddling in the middle which sometimes you find as well in this case because we're dealing with

a malware related cyber crime operation uh i wanted to to introduce you to the concept of the kill chain the kill chain is just like this uh this uh these steps which describe what the threat actor or what the third actors have to do from the moment they decide they want to infect someone or some group of people to the moment in which they manage to steal their data the first step which would be reconnaissance is just an attempt to gather information let's say you want for example to attack a company a known company so what you want to do is you want to find out how do they configure the users how their emails work what kind of signatures they

have do they have a firewall do they have a waff that kind of stuff you know some anything that can stop you when you try to attack them in this case for example uh if you wanted to attack united kingdom uh people just in general you know like targeting civilians you would need to try a list of emails that you know belong there because that way you can make very focused campaigns the next step which is weaponization would be to look for that exploit that exploit kit that vulnerability or just a word macro that you can use in order to infect those people lure which is the next step these four steps can be almost these three steps can

almost always go together so in an email for example an email campaign you would have an email with an attachment and that email has a content and that email is sent to someone in particular so the email might be the lure like hey have you sex have you seen these photos in here that i'm sending you the the weaponization might be the exploit that's inside those photos and the redirectional exploitation would be when you manage to get the user to open that that file once the user has opened that file the infection phase begins this is when the malware sets up his his house and he gains persistence and he decides that he's going to live in that computer

because it's of interest to him so we are assuming that it's it's able to tell one real user from a vm from a sandbox from a researcher sandbox you know that kind of stuff after verifying all of the information it will contact its command and control server which is the server that the threat actor or the actors the group will use in order to like manipulate the sample and then it will begin stealing data so for form book oh yeah sorry i forgot about this in here i'm just showing some examples of forums mostly frequent by split kids and that kind of stuff that kind of a low level profile in which they are already

like offering in here in this last entry says windows installation uniqueness this is a guy offering a service he has already a botnet deployed with i'm just making this up because i don't i can't remember the exact number but uh 1000 watts and he says look i have actually 1000 computers i am renting them to you you can infect those computers if you want and you skip the four the first four steps of the kill chain and he's just offering that service in here you can see people offering tutorials how to create an exploit pack newbie for newbies that kind of stuff uh here tutorial for newbies how to set up an ecb.net panel so they are trying to

transfer knowledge they are trying to teach future uh cybercrime cybercrime people who will want to commit felonies as well and that's just another example as well okay now about formwork what is formwork formwork is known for being one of the best information still malwares out there it has support for more than 80 applications or how will it tell you about that afterwards it's the techniques it uses uh are known as form grabbing and key logging i am sure most of you know what key logging is but form grabbing uh it's not such it does it's not so known as key logging from grabbing is basically a technique which uh works through infecting a known process for

example the chrome process and then hooking the calls it makes to make the requests to your to the server he's contacting that way he can examine the buffer that you can have in that request and still information from there it also it's also credentials dealer we call credential stealers every malware that has the capability of going to the chrome firefox or internet explorer port at the vault is where they store the credentials you know that message that pops up hey do you want to store your credentials for this very critical service yes okay well when you get infected the malware will go to that database and steal of your stuff and then another characteristic that i find is

very interesting besides being sold on underground forums instead of markets or from peer-to-peer which also happens is that formbook offers a subscription plan you can basically pay like 30 dollars a month and you get your domain and you get your host and you get your sample and you only have to distribute it and everything else is set up for you so in order to understand how formwork works and how the people around it are using it we need to analyze every piece of knowledge that we get and from a research point of view the pieces of knowledge we get are command and control servers we get samples we get emails used by the for the distribution

we get um everything we can communications keys they use all of that is what we call indicators of compromise or indicator of actor and this stuff can identify a single actor among a group for example or a targeted attack just based on that information and it's what we'll try to showcase today okay now work i will continue with the distribution and the campaigns we have detected for this presentation uh while we were investigating formbook we found some campaigns that were a distribution of forbook through email campaigns these emails have attached an rtf document and the most affected countries were united kingdom united states canada south korea and france this campaign was executed in the last quarter of 2019

and these documents take profit about to to exploit and microsoft office memory corruption vulnerability and microsoft windows common controls activities control remote codec security and vulnerability i know that the name is like very long but i'm sure you have do you remember if i'm not mistaken do you remember like a news piece that said hey be careful because we found the vulnerability that exploits the equation uh the equation uh yeah formulary for for dogs well that's that's the thing that they're using yeah uh both of them are affecting the microsoft office software and [Music] the two are buffer overflow vulnerabilities too uh while we're investigating this we found that they are using common subjects uh all of them

are talking about the products order that we found that there are eight different subjects the quotition and inquiry that we found six different and documents we here can see some of the subjects they were using and we found four different campaigns using different emails we can see here that they bought some some domain and here they were using a free domain and using gmail maybe from accounts that were stealing uh here we can see two of the two examples of the emails you set you can see that they both are use targeting some corporations and they want to to infect this kind of people yeah basically the content of the email plus the subjects we've seen before they

make reference to corporate contexts which is why we assume that they are targeting companies and not particular people yeah or individuals then now victor will talk about yeah about the thingy the reverse engineering thingy yeah okay so first thing and that's something that i find very interesting formwork is so compact that's not usually happens usually when you buy when you buy malware and you find malware the malware usually comes with a builder and the builder is has some sort of fud which is fully undetectable packer which gives gives you a final payload that uh allows you to just distribute it immediately that way when you sell your stuff to script kitties they won't [ __ ]

up okay and send something that's just that the raw malware this works in our favor and against us in this case i found uh i found formbook with visual basic scriptpackers.net c plus plus delta packers very different stuff you know with very different techniques and packing into a new into a new process and packing in the same layer and as i was saying this has advantages and disadvantages mind you these are switched around these are advantages for them not for me okay so one of the advantages is that it's hard to unpack automatically i like when i'm investigating a new sample or when i'm trying to follow a campaign one thing that i try to do is to make a

script that will automate the unpacking so that i can more easily identify changes and that kind of stuff well this is hard with formwork basically because each packer uses its own technique and recognizing them it's more difficult on the other hand as a disadvantage for them you can find samples that are not packed making the first step of reconnaissance of trying to understand the malware and find samples for that malware a bit easier another thing that i found that was very interesting as well is that firmwork has a ton of anti-features anti-features are all of those features that what they work for is to hinder the researcher the researcher analysis of the sample and these are just like uh anti-debuggers

anti-sandbox vm anti-analysis all of that stuff i wanted to make a special mention and i will ask anyone who speaks french in the room to please forgive me for making your ears bleed i wanted to thank jeremy julian i know that i didn't pronounce that very well from stormshield who published like a very very very very very detailed blog post related to these anti-measures okay so let's just have a quick overview of these measures for anti-sandbox and anti-vm techniques it has like the dynamic function calling it has it load it loads its own copy of ntdl so that it erases any hooks you may have in that it checks for running processes that are known to be used by researchers

it checks the loaded dlls uh sandbox paths usernames and there are a few more that haven't been listed i wanted to speak about just to add a bit of my thing here just a couple of screenshots about uh the dynamic function calling uh as we will see later on formwork tries to have like the least amount of of information available uh on the go for for the researcher so everything is encrypted in buffers and in this case it has a buffer with the list of hashes and these sizes could respond to the c32 of a function name okay so when it wants to make a dynamic when it wants to call a function in this

case antisystem for information what it will do it will resolve the address first and afterwards in here i'm not sure if you can see it there's a call eax which will make the dynamic call okay so how does it do that first it gets the csc32 for that call and then it goes to the header of ntdl in this case looks to the expert functions makes the crc32 of all of the functions until it finds a match as you can see here in eax you have the same value here then you ha well that moved but uh that's like a python command line and you can in in here down here you can see that there is

the same number of then up there and that's the clc32 for antiquary system information after doing that it will just perform the call as you can see in ax you have the beginning of the function okay it also i also wanted to mention i don't know if there's a lot of malware savvy researchers here but when malware wants to iterate around the different processes that are running in the system what you usually see is uh is them making use of a function called create help snapshot 32 tool something like that which just takes a snapshot of the processes that are running okay in this case what it does is use the function that i mentioned previously

empty query system information with the flag you can see down there system process information which will return the same structure or one very similar to that of the other call but this is like way sneakier when you are checking out the behavior of the sample instead of seeing a call that just tells you hey i'm looking at all the at all the processes did you see something quarrying for information and unless you know that o5 is the flag that you need to get that information you're lost i just thought it was cool as for uh other things it does it checks for uh for anti-debugging as well and in this case it checks for kernel debugging

which is not it's something unusual as well using the same function i mentioned before and then instead of going to like every malware to the p to the pav and checking if it's being developed with am i being debugged it just checks if there's a process the book part open which is a bit sneakier as well and harder to bypass okay now to that encryption remember that i mentioned some buffers well i hope that the es asm would be better but uh it is not so well it's fine i mean the only thing it needs to do in order to decode the information it has like two different functions to decode different types of buffers once i

encrypted the others are encoded the bytes that are the developers that are encoded are just uh he just applies like a series of transforms that i don't think they are a standard they just something he cooked himself and the other one is encrypted with rc4 like almost everything else in the sample in this case what it does and that's the interesting part is you see that function here get encrypted buffer the only thing it does is called the next instruction yeah call dollar sign plus five we'll call the pop aax when you do the pop aix after the call has pushed at the top of the stack the return address you put the return address which is the beginning of the

function at the at in the ax okay so now you have these address in the ax when it returns it will move it will add 2 to ax so now it's pointing here and it will get into the code block the code block the only thing that we'll do is check if that begins with the prelude of the function as you can see in here yes 55 8b like here 55 and 8p if it begins with the prelude of the function it knows that that after that call there is an encrypted buffer it will add three yeah and that gets you these others here which is the beginning of the encryption buffer i just thought that was something cool

he does it's not nothing in here is new i mean uh all of all of this is done by other samples i just think that formwork is very interesting because it kind of gathers a lot of small things and small techniques uh what you can see in here any universe engineer will tell you that this looks like a like a checking function every time that uh that form book detects uh every time that launches one of those aunties so the anti-debug the the kernel debugging dmi being executed in a sandbox every time it does that it will fill in a structure that it keeps internally and this structure has got just a bunch of flags and that's what

it's looking at here okay every one of these conditions is it might be in the box now am i in a standbox now in a vm no next next next next next when you have reverse engineer some samples the first thing you will try to do is say okay i'm just skipping all of this i don't care what you think you what what do you think what do you i don't care where you think you are i'm telling you where you are and you are not in assembly so continue your execution thing is every time it fails one of these checks it modifies the crc32 list so the next time it attempts to resolve a function

it will get a new pointer it will call to a new pointer and the sample will crash so you have to actually manage to bypass each of them one by one or else you don't get the sample to execute assuming it passes all of those checks it injects a payload into exploder zenithally as well using lesser known methods and then it's an exact circuit table from a list of processes and then if that everything that everything work correctly it will tidy up the house it will gain persistence so it can survive reboots and then it will delete the original sample so there's no trace that it says it has been there and then we'll start stealing it which

is the whole purpose of the malware how does it do that besides checking out the the volts which is something that's very common already formwig will hook different apis some of them which are very common like uh https and request a or w and then we'll just put a hook in there and get the buffer when you're trying to send the request when examining the buffer even the buffer it has some keywords like login username password it will keep that data and send it to the command control server and now he has your data the interesting part about this okay sorry i just was using like a white screen and everything looked fine but uh

here it just compressed a bit sorry uh what it does in here uh i don't know if you can well i think the highlighted parts are clear enough so basically this is just a vamp with volatility of a process being uh hooked by my phonebook and what it has done it has hook a module that it's from from it's very targeted because it's from the mozilla the mozilla framework it's nss3.dll and this has a function called peerwrite which is used to write two buffers or sockets so that's what has he has put this very like very surgical very surgical hook instead of hooking a more common appy it's targeting firefox specifically and i just thought that was

relevant as well and now morpha will continue with an explanation related to the panel and the communications in the last month for book was evolved a lot and you now can find the version 4.2 but the most common versions what we can find in a while where the the 3.8 and the 3.9 but here we can see the version 3.1 that it's it was published in a forum when you're logged in you can find the dashboard in this you can see uh some statistics about the exfiltrated data here and well here you can see some of the users and where was their last login and you can see the panel has a lot of the

languages with support to translate this this panel you have a lot of detailed views about the the forms the case strokes or the the the passwords that form book was stealing and you can see there a feature of formwork that is pretty cool because it's like a file browsing in the in the computers that were infected by phonebook in this case this function in this case this functionality in this version wasn't finished but in the newest versions it's it's working and there you have a view with the the control panel of the users every customer have a panel individual panel that is identified with this part of the path this is the account name of the of the panel every

customer have one but every panel can have multiple users uh let's talk about the encryption and the communication with the c2 the first step to to do the communication is to get a key every key is unique but it's a account account name uh to do this form book takes the domain and then and the account name and do a hash that has his result this is not the final key because form book do a special it's not a special operations he changed the entireness of the of the house to get the little indian version of the house and then we have the key and we can include the communication using rc4 then the first step of the of the sample to

is register itself in the panel to do this must send a special packet that starts with a magic header identified by fb engine followed by a crc 32 the version of the panel the operating system name and the user encoded in base64 all this information is encrypted in rc in c4 and is included in a random parameter that later will be used you can see here in green some information and a parameter that are fake parameters to try to disguise the the the other parameters and the important things to execute information the first of all uh take the information and identifies every packet with this string where they say the software that are affected and the kind

of or the type of the information that he's actually trading with all this information the sample encrypts it and put it inside that parameter follow it by another time they use it in base64 and this parameter that it's important because it's an integer that identifies the type of the information that is exfiltrating all this information is another time encrypted in fc4 and put it inside the previous parameter that we've seen then in oh [ __ ] this is the code of the the the panel okay you can't see here a function that is called and this identifies the type of the the that exfiltrated here you can see that the vr parameter when it's nine he is calling a function that

is called loc lock keys that is used to exfiltrate the k strokes the recovery data the passwords and all this kind of information every packet that is sent to the sc2 recollects two information like the ip id of the boat another kind of information that is important for the bots and now we will talk about the the threat actor and how the the cells were evolving in the last years the main actor on the the programmer of the four book is ngcoder that starts his activity in hack forums that it's an underground forum and starts taking part in programming threats that are talking about assembly c and c plus plus and some pen testing and unhacking

threats initially he was selling some cell codes but in february of 2016 he started to sell for book the first version the first version only was a far grabbing malware and uh only works in internet explorer firefox and clone later uh in may of 2016 the version 2 was released in this case he added the the one of the most important features that is the recovery of passwords on some software like olu chrome and firefox well he created a new a new thread to sell the version too but when she started he started to sell the version 3 he updated this thread then we don't know how was the the yeah the advertisement how the logo

looked as yeah with an educated guess yeah within that is pretty similar then one of the things that is pretty cool in the infor book it's that uh in in july of the 2016 he started to sell for book as a service he has three kind of plans uh that you pay every week every month or every three months and he hosts your panel and will deliver you the the binary you can buy the binary hosting your own your own panel too uh well this is the same when you have the problem when there are updates you can send by private message your account id then he delivered you the binary updated with the new version

in april of 2017 the version 3 was really set and there are a lot of updates that were important like the complete the encryption of the communication the fd connect and more browsers and book fixes that were updated one of the important things here is this now one computer can be infected by two or more form books then two people that buy a different different form with his sound account can infect them the same computer well the prices were updated and then now were highest than the previous version but you continues having the same kind of packages well in october of 2017 ng coder stopped selling for book because they were used to email campaigns and they

say that it's not the the way that he wants that from where you said yeah suppose the formwork is an educational tool and you have to use it you know despite your kids and your wife and this okay after this is stop some some uses where is comet by imposters of ngcoder they were contacted via skype and well this is move it yeah sorry at some point we i think we misplaced this this screen this is just like a software supported platform yeah there in the top of the images you can see the softwares that have support to their password recovery and there are a lot of software that supports the k-stroke exfiltration the the phone grabbing and sniffs

to the people at the end what was the top was just appropriations okay and this is repeated sorry okay and after this uh phone book seems that to be appeared in some markets where is select two like uh this one that it's hack tools it's a software or malware malware market and there are another people that says that have the cracked version of formula and sell it in other forums i get the feeling that the tendency of bad guys of using like dark themes is playing against us here but uh in this screenshot you're supposed to see the text saying that

and this is a guy well this is a guy that have three three accounts of subscription of phonebook and he wants to sell two of them and they he says that he has the approval of the ng that is the main threat actor involved in this okay okay so now back to me wow really believe to have these stubs and be able to exchange uh you know to to have more take over because i sometimes forget to breathe and at the end was i like oh my god i have to stop speaking and it was really hard but you know well just as a conclusion okay overall form book appears to be coded by someone who has a bit of experience it's

not a malware made by some script kitty and that's important because by how he works by having a subscription model it allows lesser you know like less lesser cyber criminals to say so to use his more advanced malware which gives them tools that they are not supposed to have and enables them to do more damage with the same technical knowledge as you have seen during the i hope during the assembly detail uh and well as you have not seen thanks to work has a screenshot the code is relatively clean the flow of execution it's kind of all right as well uh it has extensive support for many applications that means that the guy has actually

went and just studied how they worked and what functions did they use and how to hook them in windows 7 and windows xp in windows 10 so you know changes in versions that kind of stuff uh it also is being using like even though the techniques he uses they are known they are not something new he hasn't invented something new but uh the thing is that most of them are very sneaky and you don't usually see them in common malware so on the other hand it does make use of very weak encryption mechanisms uh i remember having uh when i was working in pen testing i remember having a client telling me that their c4

is not encryption it's encoding so you know well using rc4 for the communication and encrypting the buffers it's not like very heavily encrypted but i do believe this is the result the result of a trade-off if you want to be sneaky you cannot use like uh heavyweight type apis like the encryption apis so that might be the reason on the other hand the choice for the communication key that is like a mistake for me using the hash of the domain and not being packed by default that i do think as well it's a mistake or something that he could improve so even though it has its flaws we do believe we will know that the malware is

being maintained still but even though sales have stopped if the market is still being maintained that must mean that the guy has is generating enough revenue with the client it has right now okay so that makes him like a bit more dangerous because he cannot like focus on those clients and develop for them and we don't get the updates because when he was posting uniform hey i have now implemented like a new system a new hooking engine okay so you just go to the part of the hooking and you see the changes that makes it more difficult for us to follow him and to track him and he keeps to he gets to keep doing

his job which is like try to to to steal from people i hope you have like seen it what we intended with was the showcase just one research we have gone over distribution how the malware works we have seen the panel the communication encryption techniques it uses with all of this information for example the encryption key we can track the different campaigns we can track the different actors you can try to correlate them for example as you've seen before the emails using the email and then the sample that that's document you can execute it in a sandbox get the rtf extract the payload uh from the payload extract the key or the c of the

orthogonal control server and you can follow a specific group see who is targeting why are they targeting them what's the level of experience and that's what we basically try to show you how we do it i believe you will find most of the iocs we use through this in relief community you can have even more iocs for formbook if you want to do a bit of poking around we have quantum control servers hashes i believe there are even some emails i just i encourage you to come and get them if you want them and also if you want to share you're more than welcome so questions [Applause]

i'm not seeing questions but uh i wanted to thank all of you because i think i've heard someone laugh at one of her jokes and that really motivates me to keep improving and making my presentations better so say that guy thanks okay [Music] hi great job guys thanks for the presentation um i just wanted to know if do you have any estimation of how much money this this guy may have like gotten from the software from the licenses we did try to make an estimation but it was running a bit wild about for more guesses which they think are very bad he was about making about a half a million as of now but that's like i

think we're generating because we were just trying to count the different uh domains we found which it if its domain identifies a client you can get the amount of the domain or the amount of time that path was active and from that you can try to assuming they are using because they are not done the cheapest subscription you can try to like guess but i mean probably some didn't pay probably someone from the leaked version probably some are they don't know some they might be from the beginning maybe they haven't updated the subscription plans so have a million it's like a wild guess but

yeah that could be an option we haven't done it yet though okay