Formbook and Snake Keylogger Infostealers

Information stealing attacks that leverage the phishing email attack vector against Ukrainian organizations are currently on the rise, such as the malicious campaign less than one week ago spreading AgentTesla spyware and targeting Ukrainian state bodies. On July 25, 2022, CERT-UA released a new heads-up warning the global cyber defender community of an ongoing email campaign aimed at mass distribution of Formbook and Snake Keylogger malicious payloads that are used for stealing sensitive data. In this latest cyber-attack, threat actors leverage the financially-related email subject and the malicious archive attachment of the same name as lures to trick the potential victims into opening the email contents. Attackers deliver malware samples using the malicious .NET-based downloaders identified as RelicRace and RelicSource. According to the research, the malicious activity can be attributed to the behavior patterns of the UAC-0041 hacking collective.

Formbook & Snake Keylogger Delivery: Cyber-Attack Analysis

The latest cyber-attack covered in the CERT-UA#5056 alert is linked to the activity of the UAC-0041 threat actors that were earlier attributed to the malicious campaign in spring 2022 spreading IcedID Trojan, the notorious information-stealing malware. Notably, the same hacking group was also associated with the delivery of AgentTesla and XLoader malware samples in the previous malicious campaigns targeting Ukrainian organizations. 

In the ongoing phishing campaign that has been in the spotlight since July 19, 2022, threat actors massively distribute emails with malicious attachments in the TGZ compressed archive file format. This TGZ archive contains an executable file identified as a .NET-based downloader RelicRace, which is used to download and launch the infamous RelicSource malware on the compromised systems. The latter is the malware installation software capable of decoding data stored in multiple encryption formats, including XOR, DES, AES, etc., and further injecting and launching Formbook and Snake Keylogger payloads. The malware applies sophisticated persistence and anti-analysis techniques to evade detection making it harder for cyber defenders to timely identify the infection. 

According to Fortinet’s FortiGuard Labs, the notorious Snake Keylogger massively distributed in the ongoing cyber-attack against Ukraine is a .NET-based malware that was first spotted in the cyber threat arena in late 2020. The malware is designed to steal sensitive data, such as users’ credentials, keystrokes, screenshots, and clipboard data. In July 2021, Snake Keylogger was among the top 10 most popular malware families impacting more compromised users across the globe. 

Another payload spread in this latest cyber-attack covered by the CERT-UA research dubbed Formbook also belongs to the most prevailing info-stealing malware samples, even taking over the infamous Trickbot banking Trojan. Formbook has been present in the cyber threat landscape since 2016 as malware aimed to steal credentials from multiple web browsers, monitor and log keystrokes, download and execute files via the C&C server. 

Detecting UAC-0041 Activity: Sigma Rules to Spot the Latest Wave of Formbook and Snake Keylogger Infections

To help security practitioners proactively detect the intrusions associated with the latest UAC-0041 attacks against Ukraine, SOC Prime’s Detection as Code platform provides a set of curated Sigma rules. For a streamlined content search, all the detection content is tagged with “CERT-UA#5056” based on the campaign overview detailed in CERT-UA#5056 alert. 

Sigma Rules to Detect Formbook and Snake Keylogger Campaign Details in CERT-UA#5056

To review the entire list of detection rules and hunting queries covering the UAC-0041 malicious activity, hit the Detect & Hunt button below. Also, you can browse SOC Prime’s cyber threats search engine to drill down to the Sigma rules aimed at UAC-0041 detection along with accessing extensive contextual metadata, like MITRE ATT&CK® and CTI references, CVE descriptions, and more.

Detect & Hunt Explore Threat Context


To gain insights into the context of the UAC-0041 cyber-attacks aimed at Formbook and Snake Keylogger distribution, the above-referenced Sigma rules are aligned with the MITRE ATT&CK® framework addressing the corresponding tactics and techniques:

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts