April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Glupteba Botnet Utilizes Previously Unknown UEFI Bootkit for Detection Evasion – Active IOCs
February 15, 2024Rewterz Threat Alert – Quasar RAT aka CinaRAT – Active IOCs
February 15, 2024Rewterz Threat Alert – Glupteba Botnet Utilizes Previously Unknown UEFI Bootkit for Detection Evasion – Active IOCs
February 15, 2024Rewterz Threat Alert – Quasar RAT aka CinaRAT – Active IOCs
February 15, 2024
Severity
Medium
Analysis Summary
FormBook is an infostealer malware that was first identified in 2016. It tracks and monitors keystrokes, finds and accesses files, takes screenshots, harvests passwords from various browsers, drops files, and downloads, and executes stealthier malware in response to orders from a command-and-control server (C2).
Formbook is known for its versatility, as it can be customized to target specific systems or applications. It is also designed to evade detection by security software, using techniques such as code obfuscation and encryption.
It disguises its original payload and injects itself into legitimate processes to avoid detection and complicate the removal process. The cybercriminals behind these email campaigns used a variety of distribution techniques to deliver this malware, including PDFs, Office Documents, ZIP, RAR, etc. This malware was used by cyber threat actors to attack Ukrainian targets in 2022 during the conflict between Russia and Ukraine. Currently, it is believed that the virus known as XLoader is Formbook’s successor.
To protect against Formbook and other malware, it is important to keep software up-to-date, use strong passwords, and be cautious when downloading software or opening email attachments. Antivirus and anti-malware software can also help detect and remove Formbook infections.
Impact
- Credential Theft
- Data Theft
- Keystroke Logging
Indicators of Compromise
MD5
- 94c6dfbb36fd9b1478757f2518b050f2
- 16a99463ebd4554c9b11480d36081514
- 889cf6d2dc5a945c1bb2809e70a46294
SHA-256
- ec84179e77efc18934873272da7e35227aab097647376beb7c66dbab8c0374a1
- 53e09d15ff2fcccd16ac139e20cb00ca6796f1e5e97d7a129ede94194d50f977
- 374e82c426bb09972efa0921091f44a134cb314a38ba75cfc171911e4b51a447
SHA-1
- 3efee6ed631028ab22851412c1effa9264f0e453
- e94b6f5cef97797989c214831dc4d8c692d38454
- cd99a396dbcef25ab3094c9a6317a1994f824bfc
URL
- http://www.servicemailteam.com/qrpa/
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
