Report

CTI

Report

CTI

'FormBook Tracker' unveiled on the dark web

S2W LAB has found ‘FormBook Tracker’ - the operation site of the malicious code ‘FormBook’ - on the dark web.  The site contains information about 9,173 infected machines (as of 07/19) worldwide including affected machines’ OS, IP, date of Infection and last activity date etc.  China, USA, and Turkey are top 3 countries which have the most infected machines based on the information from the site.  All command and control (C&C, hereafter C2) servers are using hosting services from USA and Netherlands.



Geographical mapping on infected machine


Geolocation of the infected machines were identified based on IP address.  China (1,976), Turkey (647), USA (566), India (480), and Vietnam (344) are top 5 countries with number of infected machines.


# of infected machine (unique IP address) by infection date (2020/01/01 to 2020/07/19)

The number of infected machines increased dramatically on July 2020.  Not just number of infected machine, the spread of geographical region is mostly occurred in June ~ July period.



Key Statistics for FormBook Infection in 2020 – Top 4 countries



Key Statistics for FormBook Infection in 2020 – South Korea

311 machines have been identified in South Korea.  Most of infection in concentrated in metro area.

Infection of South Korea has started from April 27th.  The infection speed drops on mid July; however, on July 14th, the number of daily infection suddenly hit its peak, and many infected machines were still alive after then.


In-depth analysis on infected machines from South Korea

In general, bot lifetimes are comparably long.  57.2% of infected machines’ bot life-time is longer than 1 day.  Only 20 out of 311 machines have less than an hour lifetime, which can be assumed as a ‘Sandbox’.

Among the victims, Windows 10 is the most common operating system used.  FormBook seems to target Windows OS and affect all versions including the most recent one.

FormBook version 4.1 is dominating the victim population which known to be the latest version and this might be the first report of its successful debut.


Key Findings

1.Operation FormBook is an ongoing threat campaign.


2.The operator behind the campaign has leveraged the dark web to monitor the compromised PCs and servers.


3.The operation has compromised at least 9,000 PCs/Servers worldwide, and at least 44 C2 servers has been operational. 


4.A quick analysis on the operation site implicates that the potential secondary damage can be done as the life-time of communication between C2 and the compromised ones lasts more than a week.


5.Possible cases of malware communication,

  a. A beacon lifetime of C2 and the target node is long that eventually compromised the node.

  b.FormBook malware is preserved on the sandbox or in the same virtual machine image(identical SID) to monitor live C2 servers on purpose used by security team to counteract the malware.

  c.Some of the victims appear to be the honeypots or relevant to security devices owned by business and public institutions.

Security advisory

It is recommended to the response team must update C2 domains and cut down the analyzing time/period that this type of operational page encourages attackers to advertise and capitalize their system to potential hackers/buyers by alluring them with those live information.

We will continue tracking ‘FormBook Tracker’ and report about new findings at www.s2wlab.com.  Should you have any information that you think might be valuable to our research, please contact us at info@s2wlab.com.






'FormBook Tracker' unveiled on the dark web

S2W LAB has found ‘FormBook Tracker’ - the operation site of the malicious code ‘FormBook’ - on the dark web.  The site contains information about 9,173 infected machines (as of 07/19) worldwide including affected machines’ OS, IP, date of Infection and last activity date etc.  China, USA, and Turkey are top 3 countries which have the most infected machines based on the information from the site.  All command and control (C&C, hereafter C2) servers are using hosting services from USA and Netherlands.

FormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016. The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.

(source: https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html)


Geographical mapping on infected machine

Geolocation of the infected machines were identified based on IP address.  China (1,976), Turkey (647), USA (566), India (480), and Vietnam (344) are top 5 countries with number of infected machines.


# of infected machine (unique IP address) by infection date (2020/01/01 to 2020/07/19)

The number of infected machines increased dramatically on July 2020.  Not just number of infected machine, the spread of geographical region is mostly occurred in June ~ July period.



Key Statistics for FormBook Infection in 2020 – Top 4 countries


Key Statistics for FormBook Infection in 2020 – South Korea

311 machines have been identified in South Korea.  Most of infection in concentrated in metro area.

Infection of South Korea has started from April 27th.  The infection speed drops on mid July; however, on July 14th, the number of daily infection suddenly hit its peak, and many infected machines were still alive after then.



In-depth analysis on infected machines from South Korea


- In general, bot lifetimes are comparably long.  57.2% of infected machines’ bot life-time is longer than 1 day.  Only 20 out of 311 machines have less than an hour lifetime, which can be assumed as a ‘Sandbox’.



- Among the victims, Windows 10 is the most common operating system used. FormBook seems to target Windows OS and affect all versions including the most recent one.



- FormBook version 4.1 is dominating the victim population which known to be the latest version and this might be the first report of its successful debut.


Key Findings


1.Operation FormBook is an ongoing threat campaign.

2.The operator behind the campaign has leveraged the dark web to monitor the compromised PCs and servers.


3.The operation has compromised at least 9,000 PCs/Servers worldwide, and at least 44 C2 servers has been operational. 


4.A quick analysis on the operation site implicates that the potential secondary damage can be done as the life-time of communication between C2 and the compromised ones lasts more than a week.


5.Possible cases of malware communication,

   a. A beacon lifetime of C2 and the target node is long that eventually compromised the node.

   b. FormBook malware is preserved on the sandbox or in the same virtual machine image(identical SID) to monitor               live C2 servers on purpose used by security team to counteract the malware.

   c. Some of the victims appear to be the honeypots or relevant to security devices owned by business and public                 institutions.

Security Advisory

It is recommended to the response team must update C2 domains and cut down the analyzing time/period that this type of operational page encourages attackers to advertise and capitalize their system to potential hackers/buyers by alluring them with those live information.



We will continue tracking ‘FormBook Tracker’ and report about new findings at www.s2wlab.com.  

Should you have any information that you think might be valuable to our research, please contact us at info@s2wlab.com.



㈜에스투더블유랩 | CEO. 서상덕 | 주소. 경기도 성남시 분당구 판교역로 225-18, 이룸빌딩 9층 | 사업자번호. 641-88-00997

연락처. 070-5066-5277 | 이메일info@s2wlab.com