Double-click. The JS fires up, Windows Script Host humming along like it’s just another innocent script.
But here’s the thing—this 10MB beast, SHA256 a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285, only trips 15 out of whatever VirusTotal’s got these days. Obfuscated JavaScript malware, straight from a phishing RAR. I’ve seen this playbook for years; it’s not clever, just persistent. And yeah, persistence is the word—they mean it literally, scheduling tasks every 15 minutes.
Zoom out. This ain’t some zero-day wizardry. It’s Formbook, that credential-stealing pest that’s been lurking since 2016, dressed up in fresh clothes. AsmDB library stuffed in to bloat it—why? To dodge static scanners, probably. Scroll past the UTF gibberish, and bam: ActiveXObject calls, file copies to Public folders, schtasks for eternity.
function FDAWE(x) { return x.split(‘’).reverse().join(‘’); } var scriptName = WScript[‘ScriptName’];
That’s the deobfuscator right there, casual as a weekend hack. Copies itself to C:\Users\Public\Libraries\, drops three fake PNGs: Brio.png, Orio.png, Xrio.png. Not images. Payload carriers.
Why Is This Obfuscated JavaScript Still Slipping Past Defenses?
Look, PowerShell kicks in post-persistence: iex with Base64, but mangled. Xrio.png? AES-encrypted blob, key XctflJI8B7Qo2dA6FbwuHYAjjzjViSx3hThThXX1QUY=, IV eb8a/RvZf2ltVDo2satMKg==. Decrypts to evasion patches—EtwEventWrite, AmsiScanBuffer. Classic. Been doing this since at least 2022.
$aes_var.Key = [System.Convert]::FromBase64String(‘XctflJI8B7Qo2dA6FbwuHYAjjzjViSx3hThThXX1QUY=’) $aes_var.IV = [System.Convert]::FromBase64String(‘eb8a/RvZf2ltVDo2satMKg==’)
Straight from the script—props to Xavier Mertens for the teardown. Orio.png unpacks a .NET DLL (SHA256:53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b), injected into MSBuild.exe via some Fiber.Program reflection hack. Brio.png? The real deal, another Formbook dropper.
And Formbook? Info stealer extraordinaire—keys, creds, screenshots, the usual grift. Sold as MaaS, so someone’s banking while your AV yawns.
This feels like 1999 all over again. Remember macro viruses in Word docs? Sneaky loaders hiding payloads in innocent files. Now it’s JS in RARs, PNGs as crypto containers—same game, new wrappers. But my bet? These Formbook crews keep winning because AVs chase signatures, not behavior. With only 15 hits, infections spike before updates roll. Who’s making money? Not you.
How Does the Persistence Trick Actually Work?
Scheduled task: schtasks /create /sc minute /mo 15 /tn [script] /tr [copy]. Every quarter-hour, it pokes the PowerShell beast awake. Noexit, nop flags—stays interactive, skips profiles. Sneaky.
The DLL injection? $Allohaarnppp11111111=@(‘file:///C:/Users/Public/Brio.png’,‘0’,’‘,’‘,’MSBuild’,’‘,’MSBuild’,’‘,’‘,’‘,’‘,’‘,‘7’,‘0’,’‘,‘0’,’‘,’‘,’‘); then reflection voodoo on Fiber.Program.Main. MSBuild as host—legit process, low suspicion. Reflection hides the strings, too.
Evasion’s the star here. Patching ETW kills logging; AMSI neutering lets scripts run wild. If your endpoint’s not watching process injection or unhooking, you’re toast.
I’ve covered a dozen Formbook waves—each time, the obfuscation layers thicken, but the core’s lazy. AsmDB? That’s MahdiSafsafi’s inline asm lib, open-source gold for malware authors. Free tools making pros look amateur.
Why Does This Matter for Your Next Phishing Email?
Phishing RARs aren’t going extinct. Windows still runs WSH like it’s 2005—ActiveX, ADODB.Stream, fso.CopyFile. No sandbox by default. Enterprise? Sure, AppLocker or WDAC might block, but home users? Clickbait city.
Bold call: expect Formbook campaigns to double in Q2. Low detection means high ROI for the actors. They’re not innovating; they’re iterating on what works. PR spin from AV vendors? “We’ve updated signatures!” Yeah, until the next blob.
Drop the fake PNGs in a disassembler sometime—pure theater. AES-CBC-PKCS7, hardcoded keys (rotate ‘em next time, geniuses). PowerShell decrypt loop splits lines, executes each. Modular, resilient.
Final payload SHA256 fdcfbb67d7e996e606963ac96a4a1b14e7070e1e88d210b2f567e3d40541b7b7—Formbook v5-ish, grabbing browser data, crypto wallets. Your bank’s next if you’re sloppy.
Cynical truth: Security’s a cat-and-mouse farce. This JS loader’s not revolutionary—it’s effective because we’re still clicking RARs. Train users, block WSH, hunt behaviors. Or don’t. More stories for me.
🧬 Related Insights
- Read more: Stryker Recovers from Iranian Data Wipeout in Record Time
- Read more: Fake Windows Update in France Steals Passwords from Breach-Exposed Users
Frequently Asked Questions
What is Formbook malware?
Formbook’s an info stealer sold as malware-as-a-service—snags passwords, keystrokes, screenshots since 2016. Pays for its actors via stolen crypto and creds.
How does obfuscated JavaScript deliver malware like this?
It uses Windows Script Host for persistence (scheduled tasks), drops encrypted blobs in fake files, chains to PowerShell for decryption and injection into legit processes like MSBuild.
Can antivirus detect this obfuscated JS from phishing?
Only 15/70 on VirusTotal right now—relies on static sigs. Behavioral detection or EDR catches the injections, evasion patches better.
