Daily Summary
Formbook activity remains stable with 8 new samples identified, closely aligning with the 7-day average of 9. The notable element is a significant surge in new C2 infrastructure, with 55 servers added, indicating potential preparation for new campaigns or infrastructure rotation.
New Samples Detected
The sample set shows a diverse mix of file types, with JavaScript (.js) and archive (.zip) files being most common. The presence of a PowerShell script (.ps1) and a file with a numeric extension (.15568) suggests ongoing experimentation with delivery vectors and obfuscation techniques to bypass static analysis.
Distribution Methods
Distribution continues to rely heavily on email campaigns delivering malicious archives (.zip) and script files (.js, .ps1). The single .scr (screensaver) file indicates occasional use of disguised executable lures. This multi-vector approach aims to exploit user trust in various file types.
Detection Rate
Current variants show moderate detection rates by major AV engines. The newer, less common file types like the .15568 and the specific .ps1 script may exhibit lower initial detection, providing a brief window for evasion before signatures are updated.
C2 Infrastructure
A substantial influx of 55 new C2 servers was recorded. Initial analysis shows a geographically dispersed set, predominantly hosted on compromised infrastructure and bulletproof hosting services, which complicates takedown efforts and increases resilience.
7-Day Trend
Activity has been consistent over the past week, with daily sample counts hovering near the 9-sample average. The steady volume, coupled with today’s infrastructure surge, suggests sustained, operational maintenance rather than a disruptive new campaign launch.
Security Analysis
The continued inclusion of living-off-the-land binaries (LoLBins) like PowerShell, alongside the diverse file extensions, points to a focus on defense evasion by blending with normal administrative activity. Compared to earlier campaigns, there is a subtle shift towards more script-based initial access. Defensive teams should enhance monitoring for suspicious child processes spawned from powershell.exe or wscript.exe, particularly when launched from temporary directories or email attachment paths.