By: Adam Martin and Nathaniel Sagibanda
The holiday season is a time of joy and relaxation, but it often brings an influx of corporate emails ranging from leave approvals to scheduling paid time off. The Cofense Phishing Defense Center (PDC) has recently intercepted a malicious phishing email masquerading as a legitimate end-of-year leave approval notice. Disguised as a formal HR communication, this email leverages the urgency and importance of year-end leave scheduling in order to trick the recipients into clicking a malicious link. This enables the threat actor to steal sensitive information via FormBook malware.
Figure 1: The contents of the phishing email disguised as an HR notice
As shown in Figure 1, the phishing email had the subject line “Mandatory Leave Notice for all employees” to mimic HR communications with professional language and seasonal relevance. The body claimed the recipient’s leave has been “approved”, included a link (“December 2024 Leave/Vacation Approval Lists, Dates and Duration”) to view the approved dates, and prompted users to get more details by logging into the “Central HR Management System”. While it is a well-crafted email, a few red flags are apparent when taking a closer look. The email was flagged as an EXTERNAL SENDER which is a clear indication that the email did not originate within the company. This is because the sender’s email address did not match the organization’s domain. Upon hovering over the link (as shown in Figure 2), a SendGrid-wrapped URL is revealed, which redirects to a malicious domain hosting malware. Clicking on the wrapped link further redirects to a Discordapp URL (Figure 3), where the malware is hosted and subsequently downloaded.
Figure 2: The embedded malicious link
Figure 3: Redirected to discordapp URL to download the attachment
Technical Analysis: Static Attributes
VT Tags from AV Vendors
Figure 4: VirusTotal detections and file hash for the malware sample
Various antivirus vendor detections for this sample note that it is either a generic AutoIt injector or a FormBook sample. Below is a sample of vendor tags assigned to specific malware family’s composition / attributes.
Initial Download
Once the malicious link is accessed by the victim, a .zip file will be downloaded to the default downloads directory. As shown in Figure 5, a potential victim may think that the .zip file contains a .xls related to a notice for employee PTO for the Christmas Period.
Figure 5: .zip file downloaded to default download directory
However, Figure 6 shows that the .zip file contains an executable file.
Figure 6: When extracted, the .zip file contains an executable file payload
File Identification
The first step in the analysis of externally downloaded files is identifying the file type. This identification process is pivotal because malicious downloads often claim to be a different file type than they are (i.e. a fake PDF file that is actually an executable). As illustrated below in Figure 7, our mandatory leave notice is an AutoIt compiled executable. AutoIt, like many other legitimate software development and scripting tools, has been used as a method to perform malicious actions by embedding scripts within an otherwise useful framework. In this case, the sample uses AutoIt as a parent process to inject a script into a target process, in this case, Utilman.exe. The final injection target process is then used to run FormBook in memory.
Figure 7: The sample is an AutoIt compiled executable
Import Table
When analyzing the libraries imported by the malware in Figure 8, there is an indication that there will be network traffic with API calls like InternetReadFile and InternetOpenW which is to be expected as FormBook/Xloader uses HTTP for C2 interaction.
Figure 8: Network API calls imported by the sample
Additionally, various device hooking and input-output monitoring calls such as GetKeyboardLayout, VkKeyScanW, and SetCapture (Figure 9) are imported, indicating that MITRE Technique T1056 (Input Capture) is utilized here.
Figure 9: Various imported API calls for device hooking and input-output monitoring
Debugger check
The IsDeguggerPresent API call is a staple of anti-analysis techniques, and Formbook is no exception to the rule in using it to prevent analysis.
This mechanism disrupts debugging efforts and attempts to prevent the malware from being analyzed.
Figure 10: The debugger detection function used by the malware to impede analysis
Figure 11: If the malware detects a debugger, it will display a deceptive message and end without running any further payloads
Technical Analysis: Dynamic Actions
When the FormBook binary is executed, it begins by performing initial reconnaissance and setup tasks, such as unpacking itself, evading detection, and identifying targets for injection. It’ll use explorer.exe to select its desired infection process (in this case svchost.exe), then spawn svchost.exe by leveraging Windows API calls, and finally inject part of its malicious code into it. This step uses svchost.exe as an intermediate or “staging” process because it is a trusted Windows service and unlikely to ring any alarms. This can be seen below in a suspended state.
Figure 12: The sample uses svchost.exe as an intermediate process to inject a malicious payload to
Malicious Activity Resides in UtilMan.exe
Utilman.exe strings extracted from memory show Formbook collecting system passwords for later data exfiltration.
Figure 13 strings extracted from Utilman.exe
Mitre Tactics Employed
Techniques |
Description |
Tactic |
Valid accounts T1078 |
Abuse credentials of existing accounts. |
Initial Access, |
Native API |
compiled with AutoIt |
Execution |
DLL side loading |
execute their own malicious payloads by side-loading DLLs. |
Defense Evasion |
Process injection |
Privilege Escalation |
|
OS credential dumping |
attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software |
Credential access |
Conclusion
This end-of-year-themed phishing email highlights how cybercriminals exploit trust, urgency, and seasonal relevance to infiltrate organizations. While the email appeared legitimate, scrutiny of external sender warnings, suspicious links, and generic formatting exposed its malicious intent. In this case, the attackers intended to deploy Formbook, a dangerous information stealer capable of harvesting credentials, logging keystrokes, and exfiltrating sensitive data. Such malware thrives on unsuspecting victims clicking malicious links or downloading compromised files.
To protect yourself and your organization, it is important to teach employees these best practices:
– Verify email sources: ensure sender domains match official channels.
– Inspect links before clicking: hover over hyperlinks to confirm legitimacy.
– Be wary of urgent requests: pause and evaluate emails pushing immediate access.
Conducting regular training to recognize phishing attempts and malware threats like Formbook ensures a secure and worry-free season.
IOCs
URL |
IP Address/Role |
hXXp://www[.]7261ltajbc.bond/cbbl/?aX =paPsyhkx/nE5gApOwy99MfqP09TNE5t /PnUzFNUQtr02YB3yPLZBROPMMVRkOMhc4Y +f4YmWe6fkW51HF6bKgtyZQkenfIZhWb80W8tC uarD22utTQitiVGOq TZqIbb31lBrl2g=&YHuX=yftHppt |
154[.]12[.]28[.]184 |
hxxps[://]www[.]google[.]com/url?q= hxxps[://]cdn[.]discordapp[.]com/attachments/ and_Vacation_application[.]xls[.]z |
Url Embedded in Email |
Type |
Information |
File Name: |
Mandatory Notice for all December Leave and Vacation application.exe |
MD5: |
201ad7754669b4d766349530adcca029 |
SHA256: |
E16A801F068E55F9B014AC4B4CDE9415FEC763830EF433CB4EB3E0EE9734BF04 |
Size: |
1.15 MB (1207808 bytes) |
File Name: |
Mandatory_Notice_for_all_December_Leave_and_Vacation_application.xls.z |
MD5: |
7e78e1c67017e5fd2f63c2744358198f |
SHA256 |
0583eb0dfc05ee6889f49e0da5cb7e48128cb41db627a64045d74e11fa85754c |
Size: |
684.30 KB (700728 bytes) |
*** This is a Security Bloggers Network syndicated blog from Cofense Website authored by Cofense Website. Read the original post at: https://cofense.com/feed/blog/end-of-year-pto-days-off-and-data-exhilaration-with-formbook