Daily Summary
Formbook activity shows a moderate increase, with 15 new samples detected today compared to a 7-day average of 13. The 18% rise is accompanied by a significant surge in new C2 infrastructure, indicating potential campaign expansion or infrastructure rotation.
New Samples Detected
JavaScript (.js) files dominate the new samples, comprising nearly half of the total. The remaining samples show a fragmented pattern of file types, including two .exe and two .hta files, alongside several files with numeric extensions (e.g., .17095, .95677465). These numeric extensions are consistent with Formbook’s known tactic of using randomly generated file extensions to hinder pattern-based detection.
Distribution Methods
The prevalence of .js and .hta files strongly suggests ongoing phishing campaigns delivering malicious scripts via email attachments or compromised websites. These scripts typically function as downloaders to retrieve the final Formbook payload. The presence of a few .exe files may indicate alternate delivery vectors, such as bundled software or direct execution from archive files.
Detection Rate
Current variants, particularly those using script-based downloaders, maintain a moderate to high detection rate by major AV engines. However, the use of heavily obfuscated JavaScript and novel numeric file extensions may provide a limited evasion window for newer samples before signatures are updated.
C2 Infrastructure
A notable spike of 55 new C2 servers was registered, far exceeding typical daily turnover. This large-scale infrastructure deployment often precedes or accompanies a spam campaign push. Geographic data for these servers was not available in today’s feed.
7-Day Trend
Activity has been steadily climbing over the past week, moving from near or below average to today’s elevated levels. The concurrent jump in C2 servers suggests this rising trend is part of an active operational phase.
Security Analysis
The current mix of file types, especially the high script-to-binary ratio, mirrors Formbook’s shift toward lightweight, easily modified downloaders that change faster than traditional malware binaries. This allows attackers to quickly adapt initial access techniques while the core stealer payload remains consistent. A key defensive recommendation is to enhance email filtering and endpoint monitoring for child processes spawned from script hosts (wscript.exe, cscript.exe, mshta.exe), particularly those making network connections to new or uncategorized domains.