Loader Activity for Formbook "QM18": A Deep Dive and Detection Opportunities
Introduction
In the realm of cybersecurity, the landscape is constantly evolving. Recently, there has been a surge in loader activity related to GuLoader or ModiLoader/DBatLoader. This article will focus on a specific loader activity for Formbook "QM18", based on an infection run on July 11, 2023. We will also discuss potential detection opportunities for the Indicators of Compromise (IOCs) and techniques listed in this activity.
The Infection Process
The infection process begins with an email distribution. Two emails with associated .docx file attachments were found on VirusTotal. These attachments, when opened, kick off the infection run.
The flow chart for this loader-based Formbook infection is as follows:
1. The user receives and opens the .docx attachment from the email.
2. The .docx file exploits CVE-2017-0199 and retrieves an RTF file from a URL.
3. The RTF file exploits CVE-2017-011882 and retrieves an HTA file.
4. The HTA file retrieves and runs an EXE file.
5. The EXE file, acting as a loader, retrieves an HTML file.
## Indicators of Compromise (IOCs)
The IOCs for this infection run include several SHA256 hashes, file sizes, file names, file types, file descriptions, and URLs. For instance, the .docx file has a SHA256 hash of 7f4fcb19ee3426d085eb36f0f27d8fd3d0242d0aa057daa9f4d8a7cd68576045, and the file size is 11,197 bytes. The file is a Microsoft Word 2007+ document with an exploit for CVE-2017-0199.
The infection process also involves several URLs, such as hxxps://e[.]vg/LyLQRAip, which redirects to another URL that retrieves the RTF file. The HTA file is retrieved from hxxp://23.94.236[.]203/wq/IE_NET.hta and is saved in the Temp folder of the user's AppData directory.
Detection Opportunities
Given the IOCs and techniques used in this loader activity, there are several detection opportunities:
1. Email Security: Implementing robust email security measures can help detect and block malicious emails. This includes scanning attachments for known malware signatures and sandboxing attachments for behavior analysis.
2. Endpoint Detection and Response (EDR): EDR solutions can detect unusual behavior, such as the creation or modification of files in the user’s AppData directory, or the execution of PowerShell’s Invoke-WebRequest function.
3. Network Monitoring: Monitoring network traffic can help identify suspicious activities. For instance, the retrieval of files from URLs with unusual patterns or from known malicious IP addresses can be flagged.
4. Threat Intelligence: Using threat intelligence platforms to keep track of known IOCs, such as SHA256 hashes and URLs associated with this loader activity, can aid in detection.
5. Exploit Detection: Implementing exploit detection measures can help identify attempts to exploit known vulnerabilities, such as CVE-2017-0199 and CVE-2017-011882, used in this loader activity.
Conclusion
Understanding the techniques and IOCs associated with specific loader activities, such as Formbook "QM18", is crucial in enhancing our detection capabilities and strengthening our cybersecurity defenses. By leveraging robust security measures and staying abreast of the evolving threat landscape, we can better protect our systems and data from such threats.
Reference: https://isc.sans.edu/diary/Loader+activity+for+Formbook+QM18/30020
