Botconf 2018 has ended
Back To Schedule
Wednesday, December 5 • 15:00 - 15:40
In-depth Formbook Malware Analysis

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Form-grabber malware are nowadays quite common. They provide simple yet effective methods for stealing infected users' credentials. They are named thereby since they target HTML forms' submissions, made by web-browsers. Sometimes, they also provide classical password stealer capabilities such as key-logging, or modules designed to take screenshots. Also, they can embed code for harvesting users applications’ passwords, stored on the file-system.

Formbook is a 'ready-to-use' form-grabber malware, sold illegally on hacking forums. Thus, it can be used by cyber-criminals who don’t necessary own skills in malware development, although it can still be used by more advanced actors. It comes with a PHP web-application, used to implement the C&C server. It also offers a panel, used to graphically manage infected computers, and visualize stolen data.

In order to evade anti-viruses detection, to detect automated malware analysis environments or to complicate its reverse-engineering, Formbook implements many tricks. It also uses interesting code injection techniques, based on APC injection and thread hijacking, to perform actions like process-creation, from within the context of legitimate windows processes such as explorer. Its ability to migrate from a 32-bit process, running in wow64 compatibility mode, to a native 64-bit process also makes it worth looking at.


Wednesday December 5, 2018 15:00 - 15:40 CET
Auditorium Marthe Condat 118 Route de Narbonne, 31400 Toulouse, France