Found this user on the @internetarchive hosting images with embedded base64 encoded #malware between <<BASE64_START>> and <<BASE64_END>> flags. The malware is used to download an inject the next stage payload into another process. The campaign I observed involved #RemcosRAT

User page: https://archive.org/details/@nodetectonn
Remcos: hxxps://petshopsirena[.]mk/a.txt
#c2 : 45.95.169[.]135:2404

I found samples dropping others such as #agenttesla and #formbook as well.

We just released a landscape review of Registered DGAs. We review the many ways threat actors are leveraging these algorithms -- including malware, phishing, scams, porns, you name it. Our RDGA detectors find tens of thousands of domains every day, and we've seen the use continue to rise over the last several years. Most folks aren't even aware since actors are doing this in DNS and it often isn't obvious. #dns #threatintel #cybersecurity #cybercrime #infoblox #RDGA #DGA #DDGA #malware #phishing #scams #infoblox #infobloxthreatintel #cybersecurity #threatactor #c2 #revolverrabbit #threatintelligence #cyber #cyberintelligence #xloader #formbook #abusedtld https://insights.infoblox.com/resources-research-report/infoblox-research-report-registered-dgas-the-prolific-new-menace-no-one-is-talking-about

30 Days of #Formbook: Day 6, Saturday 2023-06-10 - "SN84" at https://malware-traffic-analysis.net/2023/06/10/index.html

Ran this infection on publicly-available WiFi while I ran my full-day #pcap analysis workshop at #BSidesSATX. Most, if not all, of the Formbook C2 was blocked from going out.

30 Days of #Formbook: Day 5, Friday 2023-06-09 #GuLoader for Formbook "V16R" at https://malware-traffic-analysis.net/2023/06/09/index.html

I've run across some GuLoader & #DbatLoader/#ModiLoader samples pushing Formbook recently, and this is my first successful "GuFormbook" run since I started 30 days of Formbook.

30 Days of #Formbook: Day 4, Thursday 2023-06-08 "T30K" at https://malware-traffic-analysis.net/2023/06/08/index.html

I can now confirm that Formbook steals login credentials from the Firefox web browser.

For browsers, it's Chrome, Firefox, and IE. But Formbook still does not steal from the current Chromium-based Microsoft Edge.

Here's a new advertising slogan for Edge: "Microsoft Edge: At least Formbook doesn't steal from it!"

You're welcome, Microsoft.

This is what I think of #Formbook now...

30 Days of #Formbook: Day 3, Wednesday 2023-06-07 "AE30" at https://malware-traffic-analysis.net/2023/06/07/index.html

3 of 30 days? I'm 10% done!

My findings so far:

It seems like Formbook doesn't steal login credentials from the current Chromium-based Microsoft Edge or Thunderbird.

But it -does- steal credentials from Google Chrome & Outlook.

It still seems to still look for login credentials in Internet Explorer.

I'm basing this on artifacts from the directory that Formbook temporarily stores the screenshot of the desktop and any login credentials it steals. After it sends the info to the C2 server, Formbook deletes the files.

Today, I had Chrome installed and set up with some stored login credentials. I normally just use the current Chromium-based Edge for that, which was also present, but all those juicy login/password combos seem untouched by Formbook.

Nothing from Filezilla, either, in this case.

In this post, I've included a screenshot of my victim desktop that Formbook sent to its C2 server(s).

I'll keep mixing things up and trying other applications to see if there's anything else Formbook tries to steal from.

I mean, I know that Formbook is a sort of "bargain basement" MaaS-style malware, but come on! Not stealing from the current Microsoft Edge? I think Formbook's still stuck in the Windows 7 era.

30 Days of #Formbook: Day 2, Tuesday 2023-06-06 - "CG62"

My current effort to generate a collection of #pcap files/IOCs from up-to-date Formbook samples I find on VirusTotal...

Today's post, number 2 of 30: https://malware-traffic-analysis.net/2023/06/06/index.html

30 Days of #Formbook: Day 1, Monday 2023-06-05

I'm generating #pcap files/IOCs from up-to-date Formbook samples I find on VirusTotal.

It'll take longer than 30 calendar days, I'm sure, but I plan on doing 30 of these.

We'll see if the accumulated data is worth anything. At least, there will be 30 examples of Formbook infections where people can see the data exfiltration, even if you can't decode it (which I can't yet).

My first post: https://www.malware-traffic-analysis.net/2023/06/05/index.html

L’infostealer FormBook viene diffuso attraverso le campagna di ADS di Google

I #ricercatori di sicurezza #informatica di SentinelLabs riferiscono che una #campagna in corso utilizza gli annunci #Google per distribuire programmi di installazione di #malware che utilizzano la #tecnologia di virtualizzazione #KoiVM per evitare il rilevamento quando viene installato l’infostealer #FormBook.

KoiVM è un plugin per la protezione #ConfuserEx che offusca i codici operativi di un programma in modo che solo la macchina virtuale li capisca.

#redhotcyber #informationsecurity #ethicalhacking #dataprotection #hacking #cybersecurity #cybercrime #cybersecurityawareness #cybersecuritytraining #cybersecuritynews #privacy #infosecurity

https://www.redhotcyber.com/post/linfostealer-formbook-viene-diffuso-attraverso-le-campagna-di-ads-di-google/