Monday, November 25, 2024
HomeComputer SecurityFORMBOOK Malware Delivered via Weaponized RTF Word Docs - Using CVE-2017-11882

FORMBOOK Malware Delivered via Weaponized RTF Word Docs – Using CVE-2017-11882

Published on

Formbook campaign with what looks like a few changes. Recently the criminals distributing this malware have been using .exe files inside various forms of an archive, including .iso, .ace, .rar. , zip.

Frequently they use various Microsoft Office Equation Editor exploits to contact a remote site & download the payload. Very occasionally I have seen Macros used.

Today, they are still using CVE-2017-11882  Equation Editor Exploit in malformed RTF word docs to deliver the malware. But the method has slightly changed with a massive 2mb word doc that when opened only displays a couple of words and a small empty box. 

- Advertisement - SIEM as a Service
FORMBOOK

Capabilities – Formbook

FormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any extensions or plug-ins. Its capabilities include: 

  • Key logging
  • Clipboard monitoring
  • Grabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests 
  • Grabbing passwords from browsers and email clients 
  • Screenshots 

FormBook can receive the following remote commands from the CnC server 

  • Update bot on host system
  • Download and execute file
  • Remove bot from host system
  • Launch a command via ShellExecute
  • Clear browser cookies
  • Reboot system
  • Shutdown system
  • Collect passwords and create a screenshot
  • Download and unpack ZIP archive

Behavior of this Campaign

It has various behaviors like, persistence, Process Injection, Packer, Function Hooks, Startup, Beaconing. If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse  .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.

1.) Formbook was detected
2.) Loads dropped or rewritten executable
3.) Stealing of credential data
4.) Changes the autorun value in the registry
5.) Actions looks like stealing of personal data
6.) Application was dropped or rewritten from another process
7.) Connects to CnC server
8.) Equation Editor starts application (CVE-2017-11882)
9.) Executable content was dropped or overwritten
10.) Starts application with an unusual extension
11.) Application launched itself
12.) Reads the machine GUID from the registry

FORMBOOK
FIG: Infection Process

Indicators of Compromise

Main object- "Payment.doc"
0d62d21657b4b9457ea2a8fe53eba2e443eeda014f012dd555971d0128f48c73
7b19505810e5f4091492718313fa0a434338601f
dd6ce4eba8b91a31ac0f2ef7ad5d0c1b
 
Dropped executable file
sha256 C:\Users\admin\AppData\Local\Temp\A.R
Hash 7ee6e33e212e08a910b92140ec61a4a746f9ca37d9aaa66f54f485c5cd52653c
sha256 C:\Users\admin\AppData\Local\Temp\sqlite3.dll Hash 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Targetted Malware Campaigns to Steal Cookies and Passwords – FormBook

Hackers Distributing Variety of New Exploits and Malware via Microsoft Office Document Exploit Kit

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...