SUCURILABS
SUCURILABS
BlogAbout us

Threat insights 0x21: Formbook stealer

August 9, 2024

Unusual sign-in activity

Email 1

  • Rating: ★★☆☆☆
  • Date: 2024-08-06
  • Objective: Credential harvesting
  • Analyst: José Morim

This email is designed to impersonate the recipient's email service provider, attempting to create a sense of urgency by notifying the user of unusual sign-in activity on their account. The message is crafted to look legitimate, using the service provider’s branding and language to convince the recipient that their account security is at risk: Page 1

The goal is to prompt the recipient to take immediate action, leading them to click on the malicious links that points to a credential harvesting website.

Fake request for quote

Email 2

  • Rating: ★★★★☆
  • Date: 2024-08-07
  • Objective: Malware - Formbook
  • Analyst: José Morim

The email pretends to be a request for a quote, asking the user to check the details. However, its real goal is to trick the recipient into opening the attached file, which contains a harmful executable. If the recipient runs the file, it infects their system with the Formbook stealer, all while they believe they're handling a normal business request: Page 2 The threat actor's primary objective is to manipulate the victim into executing the payload, thereby infecting their system with infostealer malware. This enables the attacker to secretly harvest sensitive information and credentials, compromising the victim's security.

Annual compliance leave report

Email 3

  • Rating: ★★☆☆☆
  • Date: 2024-08-09
  • Objective: Credential harvesting
  • Analyst: José Morim

In this phishing email, the attacker impersonates the HR department of the recipient's company. The message looks very genuine and the language use is realistic, but the actual content is very suspicious. The link embedded in the email leads to a credential harvesting website, which reveals this to be a malicious email.

Bitcoin sextortion

Email 4

  • Rating: ★☆☆☆☆
  • Date: 2024-08-05
  • Objective: Cryptocurrency extortion
  • Analyst: José Morim

This is a compelling example of a typical phishing email leveraging sextortion to extort money from the recipient. The attacker falsely claims to possess explicit material involving the recipient and demands payment in Bitcoin, threatening to release the alleged content if their demands are not met.

IOCs

TYPEIOC
URLhxxps[://]bafkreiceueo7767gj3gmx56zfp2ipy5vqrgogjv4n77fvrigtjlxtfhmjq[.]ipfs[.]dweb[.]link/
FILEbe8d974d3e262ea959427e8964cbf4ec315d9ad11554e64b4aae8aa5ef34ff1b
FILEde796036f54fe704ce2e91545fa22343fbca274f5838e056416d0cdeb51e4e3e

Keep up with threat insights

Threat insights is a weekly series were we present you with analysis from samples we collect. Follow us on social media for the latest feed and cybersecurity content. Stay informed and stay safe!

Get more insights like this

  • Follow us on social media to get a weekly update of our latest content, and don't worry we won't spam your feed ;)
  • Join our private beta and have a sneak peak of how your team will improve on their security posture.
Contacts
support@sucurilabs.com
Company
About usBlog
Legal
Privacy PolicyCookie PolicyComplaint Book
Copyright © 2024-2025 SUCURILABS Lda. All rights reserved.