Daily Summary
Formbook activity surged today with 24 new samples, representing a 229% increase over the 7-day average of 7. This significant spike is accompanied by a substantial expansion of command-and-control infrastructure.
New Samples Detected
JavaScript (.js) files dominate today’s submissions, comprising 18 of the 24 samples. The remaining files are a mix of archive (.zip), executable (.exe, .scr), script (.vbs), and a single file with an obscure “.26618” extension, which is likely a renamed executable or archive used for evasion.
Distribution Methods
The heavy use of .js files indicates a continued reliance on script-based downloaders, often delivered via phishing emails with malicious attachments. The presence of .zip archives suggests campaigns where the malware is compressed to bypass simple email filters, with the .js files acting as the first-stage payload.
Detection Rate
Current variants, particularly the new .js files, show moderate detection rates from major AV vendors. The use of the unfamiliar .26618 extension and lightly obfuscated scripts appears to provide a brief window of evasion before signatures are updated.
C2 Infrastructure
A notable expansion occurred with 55 new C2 servers identified. These servers are typically short-lived, bulletproof-hosted IP addresses with no strong geographic pattern, consistent with Formbook’s infrastructure-as-a-service model for cybercriminals.
7-Day Trend
Today’s dramatic rise breaks a pattern of relatively low, steady activity observed over the past week, suggesting the launch of a new, sizable spam campaign or the activation of a new affiliate group using this malware.
Security Analysis
The concurrent spike in samples and C2 servers, alongside the use of a non-standard file extension (.26618), points to a coordinated campaign rollout rather than isolated incidents. This mirrors historical Formbook campaigns where infrastructure is spun up in bulk for short, intense distribution periods. Defensive teams should prioritize blocking executable content from script interpreters like wscript.exe and cscript.exe, particularly when launched from user temp directories, to disrupt this common execution chain.