Daily Summary
Formbook activity surged today with 14 new samples, representing a 145% increase over the 7-day average of 6. This significant spike indicates a potentially active distribution campaign is underway, supported by a substantial expansion of command-and-control infrastructure.
New Samples Detected
Script-based files dominate the new samples, with .js (7) and .vbs (3) comprising the majority. The presence of a .r00 archive file is notable, as it may indicate a multi-part compressed payload designed to bypass simple filters. The single .dll sample suggests continued use of side-loading techniques.
Distribution Methods
The heavy use of JavaScript and VBScript files points to ongoing malicious email campaigns delivering script attachments or links. These scripts typically function as downloaders to retrieve the final Formbook payload. The .bat file suggests possible use in limited, targeted execution chains or automated scripts.
Detection Rate
Current detection rates for these script-based initial vectors remain high among major AV vendors. However, the rapid deployment of 55 new C2 servers suggests operators are preparing fresh infrastructure, which may be paired with newer payload variants that could have temporarily lower detection rates during initial deployment.
C2 Infrastructure
A significant infrastructure rollout was observed with 55 new C2 servers registered. This scale of expansion often precedes or accompanies a large-scale spam campaign. The servers are likely a mix of newly registered domains and compromised websites, though geographic patterns were not specified in today’s data.
7-Day Trend
Today’s sharp rise breaks a period of relatively low, steady activity observed over the past week, moving from an average of 6 samples to 14. This suggests a new tactical phase or campaign launch rather than sustained gradual growth.
Security Analysis
The current sample set reveals a continued reliance on script-based downloaders, but the inclusion of a .r00 file is a minor tactical shift. This archive format is less common in broad malware campaigns and may be an attempt to evade signature-based detection for the compressed stage. Defensively, organizations should enhance email filtering to block or sandbox .r00 and other less common archive extensions, in addition to the standard .js and .vbs files, as these can bypass policies focused only on executable attachments.