Researchers find a new malware-friendly hosting site after a spike in attacks

NelsonG · January 29, 2019

Security researchers have traced a recent spike in FormBook infections to a new file-hosting service that’s been billed as a place for hackers to host their malware.

Deep Insight analysts say in new findings out Tuesday that the resurgence in FormBook malware, used as part of password and information stealing campaigns currently targeting the retail and hospitality sectors, can be traced back to the newly discovered malware-friendly site that hosts the second-stage dropper used to infect a computer with malicious code after the user opens a booby-trapped document.

The researchers say the site, DropMyBin, was created just over a week ago, and is protected by Cloudflare, masking its real-world location.

“Within days of going live it became a hornets nest of malware,” said Shimon Noam Oren, head of threat research at Deep Instinct, in an email to TechCrunch.

FormBook goes back to 2016 when it was first used to target aerospace and defense contractors in the U.S. and South Korea. Since then, the malware has continued to infect sporadically but has remained largely under the radar.

The team also found several other families of malware hosted on the site, including other trojans like AZORult, and the Lokibot trojan for Android devices.

“We wouldn’t be surprised to find more info-stealers and spyware there,” said Oren.

Screen-Shot-2019-01-28-at-5.33.37-PM.png

DropMyBin, a hosting service that threat actors are using to host malware (Screenshot: TechCrunch)

The researchers say the site offers reliability for threat actors where traditional file-sharing sites often nix or delete malware from their systems when it’s detected as malware. DropMyBin was advertised and promoted on Hack Forums, a popular hacker forum, as a “high quality” site that offers “direct downloads” — ideal for linking to malware. They said that the site’s functionality has a “clear invitation to use the service to host malware,” according to the researchers, even though malware is expressly forbidden on the site. DropMyBin promises to keep “all works” for “at least 30 day [sic],” the FAQ reads, and the site doesn’t “collect or log any data of our users in respect for privacy.”

Anyone who wants to use the service for sharing malware can upload their malware, “no questions asked,” the researcher said.

“We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available,” the researchers said.