Technical analysis by the Malware Hunter JAMESWT

New order-themed FormBook campaign. The compressed attachment contains a false image and an executable. This starts the malware infection, but it doesn’t always appear

New FormBook global malspam campaign on product orders. The email contains a compressed attachment with a false jpg image and an executable file inside. This, if opened, activates the malware infection chain. The curiosity is that if you use winrar to unpack the document, only the exe file is shown and not the image. With 7zip, however, the opposite happens: the jpeg appears but not the executable. However, the goal of cybercrime is to steal sensitive data from victims. FormBook, in fact, through the keylogger function, is able to acquire everything the user types. It can also steal email and browser credentials, as well as take screenshots. Finally, it has the ability to remotely issue commands on the infected PC, such as downloading additional payloads or updating those present.

The email-trap

The fake image

The C2s/domains contacted

Malware family attribution

What appears unpacking the attachment with winrar

What appears using 7zip