Summary
Since the beginning of 2022, the unfolding geopolitical conflict between Russia and Ukraine has resulted in the discovery of new malware families and related cyberattacks. In January 2022, a new malware named WhisperGate was found corrupting disks and wiping files in Ukrainian organizations. In February 2022, another destructive malware was found in hundreds of computers in Ukraine, named HermeticWiper, along with IsaacWiper and HermeticWizard.
Aside from new malware families and novel attacks, previously known malware families continue to be used against organizations in Ukraine and throughout the world. Recently, Netskope Threat Labs came across an interesting phishing email addressed to high-ranking government officials in Ukraine containing Formbook (a.k.a. XLoader), which is a well-known malware operating in the MaaS (Malware-as-a-Service) model. This malware provides full control over infected machines, offering many functionalities such as stealing passwords, grabbing screenshots, downloading, and executing additional malware, among others.
The email seems to be part of a new spam campaign, since there were multiple emails with the same subject and body addressed to other recipients. Most of them contain an infected spreadsheet encrypted with the “VelvetSweatshop” password, which is a known Formbook behavior. The infected spreadsheet delivers the threat through vulnerability described under CVE-2017-11882 and CVE-2018-0798. However, the email addressed to government officials in Ukraine contains a .NET executable, responsible for loading Formbook in a multi-stage chain:
In this blog post, we will analyze all the layers from the email attachment to the last Formbook payload.
Phishing Email
The infection flow starts with a generic phishing email that uses a common technique, tricking the victim into downloading the payload by pretending to be a shipping invoice.
The attachment is a compressed file containing the first Formbook stage.
Also, as we mentioned previously, we found similar emails delivering malicious spreadsheets, so we believe that this is part of a new spam campaign delivering multiple threats.
Analysis – Summary
Before executing the last file (Formbook), the malware is divided into multiple stages, which we have summarized below.
- Stage 01 is a loader, responsible for decoding and executing the next stage;
- Stage 02 is another loader, responsible for obtaining the encrypted bytes of Stage 03 from the resources of Stage 01, decrypting and executing it;
- Stage 03 is a known packer/loader named CyaX-Sharp, responsible for decrypting and executing the last stage;
- Stage 04 is the Formbook payload, which injects itself into other processes, as described later in this analysis.
Analysis – Stage 01
The first stage is a .NET executable likely compiled on February 21, 2022. This file is a loader, responsible for decoding and executing the next stage.
Once we decompile the file, we can see that the real executable name is “VarArgMet.exe”. This stage doesn’t contain any code obfuscation but does contain an obfuscated string and an encrypted resource which we will discuss later.
Also, this file seems to be an infected version of a public .NET project named