A FortiGuard SE Team Threat Analysis Report
The FortiGuard SE team has discovered an ongoing malicious spam campaign targeting a critical infrastructure energy provider in Romania over the past few weeks. It uses a combination of a variant of the Fareit/Pony downloader together with the Formbook infostealer malware.
While we have no conclusive evidence or insight as to why or who is targeting this organization, we can safely surmise that the goals are to either gather information to gain a foothold within the organization for further pivoting, or for data theft for reasons unknown to us.
The campaign consists of malicious email sent from a “BEN GASTRA” who claims to have an attached an unknown payment to the email and wants the victim to confirm they have received it. We have observed over three dozen of these emails sent from the IP address 126.96.36.199 (United States) to multiple recipients within this organization.
We are not sure if these are legitimate email addresses or whether they have been harvested via other means, but they appear to be legitimate.
Figure 1. Spam email sent to recipient
However, as expected, this is simply a ploy to trick the recipient into opening the attachment (bank copy.7z) [BCD2B81EB52450A66CFCB1E7C8AA2080A32CFC5FBF0DC98BE693F8C1F5680868] which contains the PE file, bank_copy.exe: [02218D687E7814E5AAA831E4222FB599164C6002B0285CF8FDFC42F89A2E8A29].
Analysis of bank_copy.exe
Once bank_copy.exe has been executed, it drops a new file located at %usertemp%bin.exe. Once it has been run, it proceeds to contact the following URL(s):
A cursory analysis of the domain reveals that the server is open, which allowed us to traverse the directory to investigate. Upon further analysis, we learned that the various directories appear to contain different campaigns and directories, where all the executables and files used by the attackers in previous campaigns have been already deleted. One interesting aspect to note, is that the server has similarities to the directory structure as described in:
Figure 2. Directory listing of brimps.live
Analysis of cshit.exe
Analysis of the payload dropped from
[cshit.exe – C8DACB3FB584CCBB203F7A2C63031B7733A2B45767EEDCC8021F6B01999A7A1B]
reveals that this is a smaller, more traditional Fareit/Pony variant. This variant incorporates the same behaviors of bank copy.exe, with the exception of not dropping bin.exe (FormBook).
The payload also contacts the same URL(s) as bank copy.exe:
This is likely to function as a fail safe so if the original file [bank copy.exe] gets detected at a later time, cshit.exe can ensure that the malware remains on the intended target machine even after detection of the original file.
Figure 3. List of various items to steal/exfiltrate by Fareit/Pony
Figure 4. List of various items to steal/exfiltrate by Fareit/Pony (cont’d)
Figure 5. List of default passwords used by Fareit/Pony
Analysis of Bin.exe (FormBook)
Bin.exe is an older version of the FormBook malware. Formbook is an infostealer, specifically a form grabber, which has been around since 2016 and is sold in various underground forums. Because of its widespread availability, we have seen Formbook used in attacks globally, targeting many industry verticals. It is coded in low level ASM/C, which allows it to function on multiple versions of Windows. It also uses encryption for its communications, and has a nice easy to use interface for those who purchase the product for nefarious use.
The malware can inject itself into various processes, which in turn can steal keystrokes and clipboard contents from the machine, along with HTTP data. Other functionality includes the ability to download and execute files, start processes, and steal cookie data and passwords. In addition to its infostealing capabilities, it can also steal passwords from email clients and perform screenshots. It also has built-in anti-vm functionality to evade analysis.
Once opened, FormBook contacts the following site(s):
Figure 7. Attack chain
bank copy.exe (detected as: W32/Fareit.EXLY!tr.pws)
- Size: 516096 bytes
- MD5: C46C8A81A1B50AE74DDCE987E43E9DBA
- SHA256: 02218D687E7814E5AAA831E4222FB599164C6002B0285CF8FDFC42F89A2E8A29
- Compiled: Tue Dec 23 01:41:38 1997 GMT
- drops %usertemp%bin.exe
bin.exe (detected as: W32/GenKryptik.AYEB!tr)
- Size: 171520 bytes
- MD5: 1746615AB53378FFB46437CAC5416AA9
- SHA256: EA73BCD50253F3939A988946778643E1DBB8C264F566FE93846B34875BE39A86
- Compiled: Tue Feb 17 02:18:44 2004 GMT
cshit.exe (detected as: W32/Agent.NTM!tr )
- Size: 92672 bytes
- MD5: DC1C782C0D418FE13CD1A94FCE198C3B
- SHA256: C8DACB3FB584CCBB203F7A2C63031B7733A2B45767EEDCC8021F6B01999A7A1B
- Compiled: Sat Sep 19 07:59:54 2015 GMT
Defenses and Mitigations
Initial Access: FortiGate firewalls with Anti-Virus enabled can detect and block this threat. FortiMail can also block specific file types as well as send attachments to FortiSandbox to determine if a file displays malicious behavior.
Execution: FortiClient running the latest up-to-date virus signatures will detect and block this file and associated files. The file(s) in this attack are currently being detected as:
Exfiltration & C&C: All network IOCs for this threat are blacklisted by the FortiGuard Web Filtering client.
NOTE: The FortiGuard Labs SE Team has shared the findings in this report with our fellow Cyber Threat Alliance members, including file samples and indicators of compromise. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit cyberthreatalliance.org.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.